Java RMI SSL poss keystore / truststore error?

Using the below code to test an ssl connection over RMI:

public class HelloImpl extends UnicastRemoteObject implements Hello {
    public HelloImpl() throws RemoteException {
        super(0, new SslRMIClientSocketFactory(), new SslRMIServerSocketFactory());
    }
    public String sayHello() {
        return "Hello World!";
    }
    public static void main(String args[]) throws Exception {
        // Get reference to the RMI registry running on port 3000 in the local host
        Registry registry = LocateRegistry.getRegistry(null, 3000);
        // Bind this object instance to the name "HelloServer"
        HelloImpl obj = new HelloImpl();
        registry.bind("HelloServer", obj);
        System.out.println("HelloServer bound in regist开发者_Go百科ry");
    }
}

The rest is pretty generic (took some of the code from here: http://blogs.oracle.com/lmalventosa/entry/using_the_ssl_tls_based), basically attempting to do a server-only authentication to get SSL working. However, getting this nagging error:

     RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], READ: TLSv1 Alert, length = 2
RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], RECV TLSv1 ALERT:  fatal, bad_certificate
RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], called closeSocket()
RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

it appears from the debug dump that they do attempt a handshake, going as far as swapping the symmetric keys, but fail during this, for some inexplicable reason. During compile, we specifcy a trust store that is stored in the folder:

# $ java -Djavax.net.ssl.trustStore=truststore -Djavax.net.ssl.trustStorePassword=trustword HelloClient

Any help much appreciated!

It sounds to me like there's an issue with the certificate being served up by the HelloImpl server, which could mean an issue with the way you're starting the server, or an issue with the key/certificate generation process. Could you perhaps run

keytool -list -v -keystore keystore

on the keystore that your HelloImpl server is being started with, and perhaps start both the server and client with -Djavax.net.debug=SSL to see if any added info is available? (if so, editing your question with these details) It's difficult to tell from the above what the error could be without knowing the state of the keystore and truststore, and the process gone through to create them.

EDITED:

A bad_certificate means that the server's certificate is in a format the client either can't understand or wants to reject.

Not much you can do about the former except get a new server cert.

However it also appears that some browsers send a bad_certficate alert to close an HTTPS connection when the server certificate acquired during the SSL handshake has expired, is self-signed, fails the hostname verification, etc. Firefox uses this alert to close the HTTPS connection while it shows a page to the user asking whether to trust this certificate. If the user agrees, Firefox then opens a new HTTPS connection and this time accepts the certificate instead of sending the bad_certificate alert.

Presumably the alert is sent rather than just closing the connection so the server can have a record of what actually happened, or maybe to abort the connection during the handshake phase rather than run any risk of sending data over it.