SSL with Thawte

Hi everybody,

I’m trying to use a Trial SSL from Thawte to try SSL with Servoy.

I have generated 2 different certificates from their website using the same .csr file: one standard and one PKCS7
Then I have tried to import the standard certificate into my keystore using the same alias as the keystore one:

keytool -import -alias mykey -keystore myks.ks -trustcacerts -file trial-standard.crt

I got the following error:

keytool error: java.lang.Exception: Failed to establish chain from reply

Then I have tried to import the PKCS7 certificate into a copy of the original keystore (not the one I tried to import to previously) using also the same alias as the keystore one:

keytool -import -alias mykey -keystore myks.ks -trustcacerts -file trial-pkcs7.crt

This time I got a question but it worked and the import seemed to be done:

Top-level certificate in reply:

Owner: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR
TESTING PURPOSES ONLY, C=ZA
Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FO
R TESTING PURPOSES ONLY, C=ZA
Serial number: 0
Valid from: Thu Aug 01 01:00:00 BST 1996 until: Thu Dec 31 21:59:59 GMT 2020
Certificate fingerprints:
MD5: 5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:DF:4D:26:A4
SHA1: 39:C6:9D:27:AF:DC:EB:47:D6:33:36:6A:B2:05:F1:47:A9:B4:DA:EA
Signature algorithm name: MD5withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

… is not trusted. Install reply anyway? [no]: yes
Certificate reply was installed in keystore

So I have copied this keystore into server/conf/keystore/ (by the way I had to create the folder “keystore” as it didn’t exist)
Then I entered the SSL details into the administration page to get this details in servoy.properties file:

SocketFactory.compress=true
SocketFactory.useSSL=true
SocketFactory.SSLKeystorePassphrase=******** (Password used when creating the keystore)
SocketFactory.SSLKeystorePath=C\:\\Program Files (x86)\\Servoy\\application_server\\server\\conf\\keystore\\myks.ks
SocketFactory.useTwoWaySocket=true

But with this configuration the server doesn’t restart and get this error in .service_log.txt

STATUS | wrapper | 2009/08/05 11:10:58 | → Wrapper Started as Service
STATUS | wrapper | 2009/08/05 11:10:59 | Launching a JVM…
INFO | jvm 1 | 2009/08/05 11:10:59 | Wrapper (Version 3.1.2) http://wrapper.tanukisoftware.org
INFO | jvm 1 | 2009/08/05 11:10:59 |
INFO | jvm 1 | 2009/08/05 11:11:00 | 1 [WrapperSimpleAppMain] ERROR com.servoy.j2db.util.Debug - Throwable
INFO | jvm 1 | 2009/08/05 11:11:00 | javax.crypto.BadPaddingException: Given final block not properly padded
INFO | jvm 1 | 2009/08/05 11:11:00 | at com.sun.crypto.provider.SunJCE_f.b(DashoA13*…)
INFO | jvm 1 | 2009/08/05 11:11:00 | at com.sun.crypto.provider.SunJCE_f.b(DashoA13*…)
INFO | jvm 1 | 2009/08/05 11:11:00 | at com.sun.crypto.provider.DESedeCipher.engineDoFinal(DashoA13*…)
INFO | jvm 1 | 2009/08/05 11:11:00 | at javax.crypto.Cipher.doFinal(DashoA13*…)
INFO | jvm 1 | 2009/08/05 11:11:00 | at com.servoy.j2db.util.Settings.load(Settings.java:120)
INFO | jvm 1 | 2009/08/05 11:11:00 | at com.servoy.j2db.util.Settings.loadFromFile(Settings.java:57)
INFO | jvm 1 | 2009/08/05 11:11:00 | at com.servoy.j2db.server.ApplicationServer.main(ApplicationServer.java:269)
INFO | jvm 1 | 2009/08/05 11:11:00 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
INFO | jvm 1 | 2009/08/05 11:11:00 | at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
INFO | jvm 1 | 2009/08/05 11:11:00 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
INFO | jvm 1 | 2009/08/05 11:11:00 | at java.lang.reflect.Method.invoke(Unknown Source)
INFO | jvm 1 | 2009/08/05 11:11:00 | at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:136)
INFO | jvm 1 | 2009/08/05 11:11:00 | at java.lang.Thread.run(Unknown Source)
INFO | jvm 1 | 2009/08/05 11:11:00 |
INFO | jvm 1 | 2009/08/05 11:11:00 | WrapperSimpleApp: Encountered an error running main: java.io.IOException: Given final block not properly padded
INFO | jvm 1 | 2009/08/05 11:11:00 | java.io.IOException: Given final block not properly padded
INFO | jvm 1 | 2009/08/05 11:11:00 | at com.servoy.j2db.util.Settings.load(Settings.java:141)
INFO | jvm 1 | 2009/08/05 11:11:00 | at com.servoy.j2db.util.Settings.loadFromFile(Settings.java:57)
INFO | jvm 1 | 2009/08/05 11:11:00 | at com.servoy.j2db.server.ApplicationServer.main(ApplicationServer.java:269)
INFO | jvm 1 | 2009/08/05 11:11:00 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
INFO | jvm 1 | 2009/08/05 11:11:00 | at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
INFO | jvm 1 | 2009/08/05 11:11:00 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
INFO | jvm 1 | 2009/08/05 11:11:00 | at java.lang.reflect.Method.invoke(Unknown Source)
INFO | jvm 1 | 2009/08/05 11:11:00 | at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:136)
INFO | jvm 1 | 2009/08/05 11:11:00 | at java.lang.Thread.run(Unknown Source)
STATUS | wrapper | 2009/08/05 11:11:02 | on_exit trigger matched. Restarting the JVM. (Exit code: 1)
STATUS | wrapper | 2009/08/05 11:11:06 | Launching a JVM…

So what should I do?

we have the same problem, we get: Given final block not properly padded

When we assign the keyfile directly in server.xml, it works. But then only in the web client. A smart client does not want to start anymore.

Could anyone shed some light on this?

Thanks
Patrick

One of our customer is trying to set it up on its environment and gets exactly the same exception:

javax.crypto.BadPaddingException: Given final block not properly padded

Seems to be a general issue? :roll:

Found this on Java Sun forum:

BadPaddingException has two main causes. First, the key being used to decrypt is not the same as the key being used to encrypt and second, the ciphertext is corrupt.

Any suggestion?

Found other comments about this exception:

This generally is caused by one of three things:

  1. Your ciphertext is getting munged in transit. Make sure you’re not trying to cram ciphertext into a String - that’s the most common mistake.

  2. You’re using a different mode/padding on each side.

And, the number one cause of BadPaddingException:

  1. Your keys don’t match. To a Cipher, decryption turns random bytes into different random bytes - only the human knows that the new plaintext is “reasonable”. So the Cipher can’t complain about the key. It can recognize that the resulting plaintext ends with a padding-string that it doesn’t recognize - so that’s what it complains about.

Base64 and dump your key on each side (use key.getEncoded() to get the byte to dump on the Java side.) Make sure the two B64 strings match.

If our problem is due to case 1), what does it mean exactly? we didn’t use the right key when importing?! :roll:

We too are getting this error. Web client will launch and work but the smart client will not. We get an error that the data service cannot be found. Our Server log says:

javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*…)
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*…)
at com.sun.crypto.provider.DESedeCipher.engineDoFinal(DashoA13*…)
at javax.crypto.Cipher.doFinal(DashoA13*…)
at com.servoy.j2db.util.Settings.load(Settings.java:69)
at com.servoy.j2db.util.Settings.loadFromFile(Settings.java:5)
at com.servoy.j2db.server.ApplicationServer.main(ApplicationServer.java:454)

Any ideas? Does this have to do with the change in key lengths for CRT’s by most CA’s? (ie godaddy doesn’t allow 1024 CSR’s so we speciefied our keysize to be 2048 when were generated the CSR and KS with keytool)

Chico

I’ve never experienced this problem, but I use DigiCert: http://www.digicert.com/

Hi,

No one with a solutions/workarounds for this problem? Getting the same message with our Geotrust SSL certificate.

this has to do with the encryption of passwords servoy do in the settings files of servoy.

What you could do is open the servoy.properties file in a text editor and change all the password fields to plain text
then save it and start the server. If you then save the file again through the admin pages it should be encrypted again (with now the new certificates you use)

I changed all the passwords to plain text, but it doesn’t fix the problem. Still getting the badpadding excpetion, which was mentioned above.

Also the SocketFactory.SSLKeystorePassphrase isn’t encrypted in my properties file. (only db passwords were encrypted)

you didnt touch all the places or you are not editing the right servoy.properties file
You have to replaced all values that starts with “encrypted:” with just your password without the “encrypted:”.

also that SSLKeystorePassphrase cant be encrypted because then we have a chicken and the egg problem.
Because that one is used to get the encrypting to decrypt the db passwords… So if it self is encrypted how then can it decrypt it?

Hi, thanks for your help. The application now starts with the ssl specified.

Maybe you also know the following:
The webclient still doesn’t work on https? (But on http) Do I need to configure some more?

for a https webclient you need to configure tomcat that servoy ships (or apache in front of it) to enable https:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html