Servoy Forum

[Harjo]

HI there,

I have succeeded to get my servoy-client / servoy-admin & servoy-webclient to start with SSL (https) with a validated sub-domain certificate for one year, for free
(Will soon post a manual, on how todo that)
For testing purposes I'm now using port 8888

Now I have the following question:
I now, set the keystore file and the passphrase also in the servoy-admin page (useSLL is selected) -> restart server.
My servoy.properties file, contains the line:

Code: Select all

SocketFactory.rmiServerFactory=com.servoy.j2db.server.rmi.tunnel.ServerTunnelRMISocketFactoryFactory

When I now connect, I can choose out of 2 different connections strings:

Code: Select all

https://mydomain:8888/servoy-client/mySolution.jnlp

(connectionMode = http&socket, so rmi port 1099 is needed)

and by using a profile: tunnel

Code: Select all

https://mydomain:8888/servoy-client/tunnel/mySolution.jnlp

The profile contains this:

Code: Select all

system.property.SocketFactory.tunnelConnectionMode=http
system.property.com.sebster.tunnel.http.client.chunked=false
system.property.com.sebster.tunnel.http.client.closeRequestOnFlush=false

With both Url's I now get the following error:

Code: Select all

avax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
   at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
   at com.sebster.tunnel.impl.qe.a(qe.java:9)
   at com.sebster.tunnel.impl.pe.connect(pe.java:9)
   at com.sebster.tunnel.DelegatingTunnelClient.connect(DelegatingTunnelClient.java:5)
   at com.sebster.tunnel.impl.w.<init>(w.java:8)
   at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider$1.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:2)
   at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:10)

When I clear both the keystore & keystore passphrase AND useSLL = selected, after restarting server, everything is working fine.
(But now, servoy-admin is complaining, that I did'nt set my own keystore and passphrase: THIS IS NOT SECURE!!)

When I set the useSLL = unselected/false, everything is working fine also, BUT still the smartclient says at the bottom of the screen: SSL encryption is used.

So I'm a bit confused, do I need to set my own keystore & passphrase in the servoy-admin page, when I have already set the servoy tomcat to SSL?
(remember, I have two connections strings: one with rmi, and one with http tunnel)

[Harjo]

I have completely removed now the tomcat SSL and just tried setting the keystore file & passphrase into the servoy-admin page, but I'm getting the same error again.

Code: Select all

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
   at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
   at com.sebster.tunnel.impl.qe.a(qe.java:9)
   at com.sebster.tunnel.impl.pe.connect(pe.java:9)
   at com.sebster.tunnel.DelegatingTunnelClient.connect(DelegatingTunnelClient.java:5)
   at com.sebster.tunnel.impl.w.<init>(w.java:8)
   at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider$1.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:2)

I have trusted the certificate, for my domain here: https://www.startssl.com/?app=40
(StartSSL Free, class 1)

imported this into my keystore + two root certificates (2 *.pem files from startssl.com)
SSL with webclient is working great ( I see the green SSL sign, in my URL-bar)

Has it something todo, that this is a class 1??

[Harjo]

Anyone?

[ROCLASI]

Hi Harjo,

I know StartSSL has a page where they explain how to install their certs in specific services. Did you follow the Tomcat guidelines on their site?
In my experience not every cert is installed the same way (at least when using a webserver, not sure about Tomcat)

[Harjo]

Hi Robert,

if you read carefully, I have no trouble at all, with Tomcat SSL!! webclient is working fine..

When I want to use the keystore file, for the smart client, than things go weird!!

[ROCLASI]

if you read carefully..

Reading ? Hey, I am a Mac user...we don't read anything

Anyway, I think this one is for Johan/Sebastiaan.

[Harjo]

yeah, I need a guru!

[Westy]

I have succeeded to get my servoy-client / servoy-admin & servoy-webclient to start with SSL (https) with a validated sub-domain certificate for one year, for free
(Will soon post a manual, on how todo that)...

Really looking forward to your manual. We need it for https with webclient.

Dean

[Harjo]

HI Dean,

first I want to sort some things out, but there seams to be not so much SSL knowledge here!

[jcompagner]

that keystore/certificate will not work as far as i can see for java to java communication, because that CA (StartCom i believe) is not (yet) added to the system certificate store of java.