3

I am developing an application that is making a request to third party service via a proxy.

My application is running on Weblogic10.3.0, and I encountered a problem with BAD_CERTIFICATE exception as follows.

 javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
    at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
    at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
    at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
    at com.certicom.tls.record.WriteHandler.write(Unknown Source)
    at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)

There are many advices online saying that by adding -DuseSunHttpHandler=true will help solving the problem since the third party has upgraded their certificates (128bit to 256bit). The solution is working fine, however, the issue at hand now is that I cannot find an official article that clearly say that Certicom only supports up to 128bit and in order to solve it, we need to enable JSSE which, in my understanding, is used by SunHttpHandler.

Another concern here is, "is there a known impact from using SunHttpHandler?" I understand that from 10.3.3 or 10.3.5 onward, Certicom will be deprecated and use JSSE by default but upgrading weblogic is not an option at the moment.

Uwe Keim
  • 39,551
  • 56
  • 175
  • 291
Natxuki Maigo
  • 33
  • 1
  • 3
  • 1
    I need an official info for impact analysis and reference so that this thing could go live. Thank you. – Natxuki Maigo Jun 12 '15 at 06:24
  • We are on weblogic 10.3.6. I got the same error as above. I got the recommendation to use -DuseSunHttpHandler=true but I checked both applications that are talking here have 256-bit cert. Just wondering if this is the right place to use the SunHTTPHandler – Abhi Jul 21 '16 at 19:01

1 Answers1

2

Microsoft and Google announced SHA-1 deprecation plans that may affect websites with SHA-1 certificates expiring as early as after December 31, 2015.

Certificates can be created with different 'hash algorithms', including

1) SHA1: a 160 bit hash

2) SHA2: a family of two similar hash functions with different block sizes, known as SHA-256 and SHA-512 (this is a newer algorithm)

Up until recently, only the SHA1 algorithm was supported with WebLogic. But starting with WebLogic 10.3.3, the SHA2 algorithm is supported as well.

If you wish to use a certificate with a SHA2 hash algorithm, then you will need to enable JSSE SSL (which trusts stronger certificates such as SHA2)

Oracle strongly recommend that you upgrade to the latest WebLogic Maintenence Pack and the latest JDK patch as there are some known issues with JSSE SSL and lower WebLogic maintenance packs and Java patches. You should be using WebLogic 10.3.6 at a minimum

SHA2 (SHA256 etc.) is supported from weblogic 11g(10.3.6) on-wards but certificates will work only with the JSSE implementation(-Dweblogic.security.SSL.enableJSSE=true).

You can check Frequently Asked Questions about SSL Certificates on WebLogic on official documentation of above on Oracle Metalink( support.oracle.com)

Man-I-n-MiddLeWare
  • 131
  • 1
  • 7