Instantly share code, notes, and snippets.

@4ndrej /SSLPoke.java
Created Jan 16, 2013

Embed
What would you like to do?
Download ZIP
Test of java SSL / keystore / cert setup. Check the commet #1 for howto.
Raw
SSLPoke.java
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;
/** Establish a SSL connection to a host and port, writes a byte and
* prints the response. See
* http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
*/
public class SSLPoke {
public static void main(String[] args) {
if (args.length != 2) {
System.out.println("Usage: "+SSLPoke.class.getName()+" <host> <port>");
System.exit(1);
}
try {
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));
InputStream in = sslsocket.getInputStream();
OutputStream out = sslsocket.getOutputStream();
// Write a test byte to get a reaction :)
out.write(1);
while (in.available() > 0) {
System.out.print(in.read());
}
System.out.println("Successfully connected");
} catch (Exception exception) {
exception.printStackTrace();
}
}
}
@4ndrej

This comment has been minimized.

Show comment
Hide comment
@4ndrej

4ndrej Jan 16, 2013

Test of java SSL / keystore / cert setup. Came from https://confluence.atlassian.com/download/attachments/117455/SSLPoke.java

Usage:

  1. extract cert from server:
    openssl s_client -connect server:443
  2. negative test cert / keytool:
    java SSLPoke server 443
    you should get something like
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  3. import cert into default keytool:
    keytool -import -alias alias.server.com -keystore $JAVA_HOME/jre/lib/security/cacerts
  4. positive test cert / keytool:
    java SSLPoke server 443
    you should get this:
    Successfully connected
Owner

4ndrej commented Jan 16, 2013

Test of java SSL / keystore / cert setup. Came from https://confluence.atlassian.com/download/attachments/117455/SSLPoke.java

Usage:

  1. extract cert from server:
    openssl s_client -connect server:443
  2. negative test cert / keytool:
    java SSLPoke server 443
    you should get something like
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  3. import cert into default keytool:
    keytool -import -alias alias.server.com -keystore $JAVA_HOME/jre/lib/security/cacerts
  4. positive test cert / keytool:
    java SSLPoke server 443
    you should get this:
    Successfully connected
@jdros

This comment has been minimized.

Show comment
Hide comment
@jdros

jdros May 21, 2015

Thanks! Helped us to debug a cert issue.

jdros commented May 21, 2015

Thanks! Helped us to debug a cert issue.
@jackchen858

This comment has been minimized.

Show comment
Hide comment
@jackchen858

jackchen858 Jul 23, 2015

Doesn't seems work as I thought it should work. it doesn't check if the server certificate is matching with the parameter.

example:

java SSLPoke ip.address.of.sslserver 443
Successfully connected

So it doesn't really check the certificate?

jackchen858 commented Jul 23, 2015

Doesn't seems work as I thought it should work. it doesn't check if the server certificate is matching with the parameter.

example:

java SSLPoke ip.address.of.sslserver 443
Successfully connected

So it doesn't really check the certificate?
@bekce

This comment has been minimized.

Show comment
Hide comment
@bekce

bekce Nov 5, 2015

@jackchen858 +1 It does not

bekce commented Nov 5, 2015

@jackchen858 +1 It does not
@wesleyforti

This comment has been minimized.

Show comment
Hide comment
@wesleyforti

wesleyforti Dec 3, 2015

It did not work for me.

I always get Successfully connected msg

wesleyforti commented Dec 3, 2015

It did not work for me.

I always get Successfully connected msg
@janeklb

This comment has been minimized.

Show comment
Hide comment
@janeklb

janeklb Jan 12, 2016

Make sure you run this with the right java in case you have multiple installations

janeklb commented Jan 12, 2016

Make sure you run this with the right java in case you have multiple installations
@mohannmurthy

This comment has been minimized.

Show comment
Hide comment
@mohannmurthy

mohannmurthy May 3, 2016

Works brilliantly. Thanks

mohannmurthy commented May 3, 2016

Works brilliantly. Thanks
@smeduru

This comment has been minimized.

Show comment
Hide comment
@smeduru

smeduru May 11, 2016

Thanks a lot. Followed your instructions. Fix worked perfectly.

smeduru commented May 11, 2016

Thanks a lot. Followed your instructions. Fix worked perfectly.
@dadez

This comment has been minimized.

Show comment
Hide comment
@dadez

dadez Nov 29, 2016

How to use it behind a proxy ?

dadez commented Nov 29, 2016

How to use it behind a proxy ?
@joerg

This comment has been minimized.

Show comment
Hide comment
@joerg

joerg Jan 19, 2017

For those not living in the Java World here is how I compiled and used this:

  • Copy code to somewhere
  • Call Java compiler /usr/java/jdk1.6.0_45/bin/javac /tmp/SSLPoke.java (use your version of Java here)
  • Call tool with ClassPath (-cp) that you copied the file to: /usr/java/jdk1.6.0_45/bin/java -cp /tmp SSLPoke my-url.com 443

joerg commented Jan 19, 2017

For those not living in the Java World here is how I compiled and used this:

  • Copy code to somewhere
  • Call Java compiler /usr/java/jdk1.6.0_45/bin/javac /tmp/SSLPoke.java (use your version of Java here)
  • Call tool with ClassPath (-cp) that you copied the file to: /usr/java/jdk1.6.0_45/bin/java -cp /tmp SSLPoke my-url.com 443
@Tzaphkiel

This comment has been minimized.

Show comment
Hide comment
@Tzaphkiel

Tzaphkiel Feb 13, 2017

Very useful thanks.

A note however, instead of updating the java JRE/JDK installation's keystore, best practices dictates that you should define your own truststore (if you have company CA or application certificates for example):

# import certificate into your local TrustStore
keytool -import -trustcacerts -storepass changeit -file "./class 1 root ca.cer" -alias C1_ROOT_CA -keystore ./LocalTrustStore
# use it in JAVA:
java -Djavax.net.ssl.trustStore=./LocalTrustStore -jar SSLPoke.jar $HOST $PORT

Tzaphkiel commented Feb 13, 2017

Very useful thanks.

A note however, instead of updating the java JRE/JDK installation's keystore, best practices dictates that you should define your own truststore (if you have company CA or application certificates for example):

# import certificate into your local TrustStore
keytool -import -trustcacerts -storepass changeit -file "./class 1 root ca.cer" -alias C1_ROOT_CA -keystore ./LocalTrustStore
# use it in JAVA:
java -Djavax.net.ssl.trustStore=./LocalTrustStore -jar SSLPoke.jar $HOST $PORT
@jmara

This comment has been minimized.

Show comment
Hide comment
@jmara

jmara Feb 27, 2017

Will the default trustStore be overwritten by -Djavax.net.ssl.trustStore or is the new trustStore an addition to the default one? @Tzaphkiel

jmara commented Feb 27, 2017

Will the default trustStore be overwritten by -Djavax.net.ssl.trustStore or is the new trustStore an addition to the default one? @Tzaphkiel
@gbenmansour

This comment has been minimized.

Show comment
Hide comment
@gbenmansour

gbenmansour Apr 4, 2017

Thanks for sharing. When I try the negative test , I have the exception :

javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1708)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1691)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1617)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:105)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:114)
at SSLPoke.main(SSLPoke.java:23)
Caused by: java.lang.RuntimeException: Could not generate DH keypair
at com.sun.net.ssl.internal.ssl.DHCrypt.(DHCrypt.java:114)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:559)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:186)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
... 2 more
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DashoA13*..)
at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:627)
at com.sun.net.ssl.internal.ssl.DHCrypt.(DHCrypt.java:107)

Any idea why I have this ? Another thing can you tell me how I can generate a certificate file from a server ?

gbenmansour commented Apr 4, 2017
edited

Thanks for sharing. When I try the negative test , I have the exception :

javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1708)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1691)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1617)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:105)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:114)
at SSLPoke.main(SSLPoke.java:23)
Caused by: java.lang.RuntimeException: Could not generate DH keypair
at com.sun.net.ssl.internal.ssl.DHCrypt.(DHCrypt.java:114)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:559)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:186)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
... 2 more
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DashoA13*..)
at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:627)
at com.sun.net.ssl.internal.ssl.DHCrypt.(DHCrypt.java:107)

Any idea why I have this ? Another thing can you tell me how I can generate a certificate file from a server ?
@kunickiaj

This comment has been minimized.

Show comment
Hide comment
@kunickiaj

kunickiaj Jun 29, 2017

@jmara -Djavax.net.ssl.trustStore will override the default truststore (cacerts). You can copy the default one and then add your cert and set it via -Djavax.net.ssl.trustStore so you don't lose the default CAs.

kunickiaj commented Jun 29, 2017

@jmara -Djavax.net.ssl.trustStore will override the default truststore (cacerts). You can copy the default one and then add your cert and set it via -Djavax.net.ssl.trustStore so you don't lose the default CAs.
@msteinebach

This comment has been minimized.

Show comment
Hide comment
@msteinebach

msteinebach Aug 3, 2017

Works well! Thanks

P.S. If you don't use the default keystore, you'll need to pass it and the password for the keystore into your command as arguments.

msteinebach commented Aug 3, 2017

Works well! Thanks

P.S. If you don't use the default keystore, you'll need to pass it and the password for the keystore into your command as arguments.
@dragon788

This comment has been minimized.

Show comment
Hide comment
@dragon788

dragon788 Oct 21, 2017

Thanks guys, these steps helped me debug why a couple of Atlassian products couldn't talk to each other. I got it working for now, but in my "ideal" world since every release of an Atlassian product includes it's own JRE, I will automate the above steps into a script to inject the "peer" applications' (hosted on other servers) certificates into only the "vendored" JRE cacerts to allow them to trust each other and this way I'm not polluting the system but I can link all the applications to each other without a bunch of warnings and failures.

dragon788 commented Oct 21, 2017

Thanks guys, these steps helped me debug why a couple of Atlassian products couldn't talk to each other. I got it working for now, but in my "ideal" world since every release of an Atlassian product includes it's own JRE, I will automate the above steps into a script to inject the "peer" applications' (hosted on other servers) certificates into only the "vendored" JRE cacerts to allow them to trust each other and this way I'm not polluting the system but I can link all the applications to each other without a bunch of warnings and failures.
@jralmaraz

This comment has been minimized.

Show comment
Hide comment
@jralmaraz

jralmaraz Jan 9, 2018

Thanks guys, just a +1 that is helping me debug an SSL issue on Weblogic between AdminServer and NodeManager.

Cheers!

jralmaraz commented Jan 9, 2018

Thanks guys, just a +1 that is helping me debug an SSL issue on Weblogic between AdminServer and NodeManager.

Cheers!
@ReverseLogicSocial

This comment has been minimized.

Show comment
Hide comment
@ReverseLogicSocial

ReverseLogicSocial Mar 2, 2018

I am having trouble w.r.t local certificate.

$java SSLPoke localwc.in 443
Successfully connected

$ java SSLPoke localwc.in 8443
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
...

$ java -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 SSLPoke localwc.in 8443
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

$ java -Djavax.ssl.trustStore=~/Developer/apache-tomcat-8.0.26/ssl/cacerts SSLPoke localwc.in 8443
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

$ keytool -list -v -keystore ~/Developer/apache-tomcat-8.0.26/ssl/cacerts
##This shows entry for my localhost as localwc.in as

Alias name: localwc.in
Creation date: 2 Mar, 2018
Entry type: trustedCertEntry

.....

I am accessing 8443 via tomcat.
How can I overcome it?

ReverseLogicSocial commented Mar 2, 2018

I am having trouble w.r.t local certificate.

$java SSLPoke localwc.in 443
Successfully connected

$ java SSLPoke localwc.in 8443
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
...

$ java -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 SSLPoke localwc.in 8443
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

$ java -Djavax.ssl.trustStore=~/Developer/apache-tomcat-8.0.26/ssl/cacerts SSLPoke localwc.in 8443
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

$ keytool -list -v -keystore ~/Developer/apache-tomcat-8.0.26/ssl/cacerts
##This shows entry for my localhost as localwc.in as

Alias name: localwc.in
Creation date: 2 Mar, 2018
Entry type: trustedCertEntry

.....

I am accessing 8443 via tomcat.
How can I overcome it?
@wtfiwtz

This comment has been minimized.

Show comment
Hide comment
@wtfiwtz

wtfiwtz Mar 9, 2018

http://portecle.sourceforge.net/ is also a very useful tool for loading and testing the Java Trust Store database

wtfiwtz commented Mar 9, 2018

http://portecle.sourceforge.net/ is also a very useful tool for loading and testing the Java Trust Store database
@TiloGit

This comment has been minimized.

Show comment
Hide comment
@TiloGit

TiloGit Sep 26, 2018

thanks for the tool here my example how I used it:
Compile

C:\IBM\WebSphere\AppServer\java\8.0\bin\javac C:\tools\JavaSSL\SSLPoke.java

run like

C:\IBM\WebSphere\AppServer\java\8.0\jre\bin\java -cp C:\tools\JavaSSL SSLPoke myserver.com 636

run with keystore

C:\IBM\WebSphere\AppServer\java\8.0\jre\bin\java -Djavax.net.ssl.trustStore=C:\IBM\WebSphere\AppServer\profiles\MyAppSrv01\config\cells\MyNode01Cell\nodes\MyNode01\trust.p12 -Djavax.net.ssl.trustStorePassword=mypass123 -Djavax.net.ssl.trustStoreType=pkcs12 -cp C:\tools\JavaSSL SSLPoke myserver.com 636

Successfully connected

TiloGit commented Sep 26, 2018

thanks for the tool here my example how I used it:
Compile

C:\IBM\WebSphere\AppServer\java\8.0\bin\javac C:\tools\JavaSSL\SSLPoke.java

run like

C:\IBM\WebSphere\AppServer\java\8.0\jre\bin\java -cp C:\tools\JavaSSL SSLPoke myserver.com 636

run with keystore

C:\IBM\WebSphere\AppServer\java\8.0\jre\bin\java -Djavax.net.ssl.trustStore=C:\IBM\WebSphere\AppServer\profiles\MyAppSrv01\config\cells\MyNode01Cell\nodes\MyNode01\trust.p12 -Djavax.net.ssl.trustStorePassword=mypass123 -Djavax.net.ssl.trustStoreType=pkcs12 -cp C:\tools\JavaSSL SSLPoke myserver.com 636

Successfully connected
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment