Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Website works but SSL Labs is reporting vulnerabilities

Hi,

On Fri, Apr 22, 2016 at 8:07 PM, Steve Sobol - Lobos Studios
<steve@xxxxxxxxxxxxxxxx> wrote:
> Well yeah, that's the thing, I do have them. With Apache I just have them
> bundled in a single file and I use the SSLCertificateChainFile directive (I
> believe) to point to them. I tried putting the CA certs in the truststore.
> Didn't work. Tried putting them in the keystore with the website certs.
> Didn't work.
>
> So, I'm a little lost. :(

Trustores are only useful when you receive a certificate and you want
to verify that is trustable. Typically clients use them (e.g. the
server sends a self-signed certificate).

I think we have the same (or a very similar) setup for Webtide's website.

If I do:

keytool -list -keystore keystore

it prints:

Your keystore contains 4 entries (fingerprints removed):

comodo_ca, Jan 15, 2016, trustedCertEntry,
addtrust_ca_root, Jan 15, 2016, trustedCertEntry,
server, Jan 15, 2016, PrivateKeyEntry,
comodo_domain_ca, Jan 15, 2016, trustedCertEntry,

If I do:

keytool -list -v -keystore keystore

it prints a lot more. The important thing is that the "server" alias
(in our case, or the alias that has the private key) has attached 4
certificates.
In our case I see:

Alias name: server
Creation date: Jan 15, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 4
Certificate[1]:
...
Certificate[2]:
...
Certificate[3]:
...
Certificate[4]:
...

These entries should match the other entries you have in the keystore.

If you don't have "Certificate chain length: 4" (or whatever length
you have), but you have only length=1, then you have imported the
certificate into the keystore in the wrong way.

Let us know.

-- 
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.


Back to the top