• About Us
  • Blog
  • Basket
  • Account
  • Sign In
  •  

Forums

PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 28 Mar 2017 10:37 AM by  JBraund
(Closed) Using Autoupdate in application on WebLogic server fails due to incorrect certificate
 4 Replies
Sort:
You are not authorized to post a reply.
Author Messages

JBraund



New Member


Posts:7
New Member


--
08 Mar 2017 09:24 AM
    Good morning,

    We are seeing an issue when attempting to implement the 51Degrees Autoupdate service in our application. We are running a J2EE application in the WebLogic application server. When autoupdate runs, we receive the following error:

    <Security> <BEA-090504> <Certificate chain received from 51degrees.com - 40.118.29.72 failed hostname verification check. Certificate contained *.azurewebsites.net bu
    t check expected 51degrees.com>

    When using the openssl utility to inspect the certificate chain, we see this same certificate:

    $ openssl s_client -connect 51degrees.com:443
    CONNECTED(00000003)
    depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
    verify return:1
    depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT SSL SHA2
    verify return:1
    depth=0 CN = *.azurewebsites.net
    verify return:1
    ---
    Certificate chain
    0 s:/CN=*.azurewebsites.net
    i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
    1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
    i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root

    However, when inspecting the certificate for the 51degrees.com site in the browser, we see a certificate for 51degrees.com from GoDaddy being presented instead.

    This is preventing us from being able to use the Autoupdate service, which we've purchased a Premium licence to make use of. Could we get some assistance with this please?

    Thanks,
    James
    0

    Joseph Dix



    New Member


    Posts:20
    New Member


    --
    08 Mar 2017 05:10 PM
    Hi James,

    Apologies for the inconvenience. Can I ask which version of the JDK you are using?
    At first glance, this appears to be a problem with SNI SSL (server name indication) which jdk 1.6 does not support.

    You can test this with the 'openssl' command by doing:
    $ openssl s_client -servername 51degrees.com -connect 51degrees.com:443

    Kind regards,
    Joseph
    0

    JBraund



    New Member


    Posts:7
    New Member


    --
    10 Mar 2017 10:03 AM
    Hi Joseph,

    We're using Java 8 (Update 102) with WebLogic 12.1.3.

    Here's the output from the command you provided:

    $ openssl s_client -servername 51degrees.com -connect 51degrees.com:443
    CONNECTED(00000003)
    depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
    verify return:1
    depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
    verify return:1
    depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
    verify return:1
    depth=0 1.3.6.1.4.1.311.60.2.1.3 = GB, businessCategory = Private Organization, serialNumber = 07397529, C = GB, ST = Berkshire, L = Reading, O = 51Degrees.mobi Limited, CN = 51degrees.com
    verify return:1
    ---
    Certificate chain
    0 s:/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private Organization/serialNumber=07397529/C=GB/ST=Berkshire/L=Reading/O=51Degrees.mobi Limited/CN=51degrees.com
    i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
    1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
    i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
    2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
    i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
    ---
    Server certificate

    Perhaps an issue with how WebLogic managed SNI? Any further advice you can offer is appreciated.

    Cheers,
    James
    0

    Joseph Dix



    New Member


    Posts:20
    New Member


    --
    10 Mar 2017 01:04 PM
    Unfortunately, it looks like Weblogic does not support SNI: https://docs.oracle.com/middleware/...m#SECMG494
    I'm currently looking for possible solutions, I'll get back to you later with my findings.

    Also, did automatic updates work before or did you recently move to a Weblogic server?

    Regards,
    Joseph
    0

    JBraund



    New Member


    Posts:7
    New Member


    --
    28 Mar 2017 10:37 AM
    • Accepted Answer
    Hi Joseph,

    Oracle have advised us that we can patch WebLogic 12.1.3 with the following update to enable SNI support:

    WebLogic Patch 19926398

    We will look to roll this out in future. Thanks for your help, we can close this off now.

    Cheers,
    James
    0
    You are not authorized to post a reply.