Troubleshooting SSL

When Celoxis connects to your servers over SSL, it should be able to validate the SSL certificate presented by your server to it. Celoxis must be able to validate your SSL certificate against the Java trusted CA certficate store. For this to happen, the SSL certificate must be obtained from trusted Certificate Authority (CA) like Verisign, RapidSSL, Thawte, GeoTrust, etc. Celoxis does not support certificates signed using CAs not trusted by Java.

About SSL Poke

Celoxis SSL Poke is a java program that connects via SSL to a host and port of your choice. The server could be a web server, mail server or any other server that supports SSL. The primary objective is to determine whether Java can authenticate the server's certificate using its trusted CA certificate store. This program also verifies whether the host and port are correct.

Downloading SSL Poke

Download ssl-poke.zip from here

Using SSL Poke

  1. Unzip the ssl-poke.zip file. It should create a folder ssl-poke that contains the SSLPoke.class file.
  2. Open a terminal window and cd to the ssl-poke folder. You must now be in the same directory that contains the SSLPoke.class file.
  3. Then type: java SSLPoke <host> <port>
Examples

Connect to our web site

$ java SSLPoke www.celoxis.com 443
SUCCESS 

Connect to a server with a self-signed certificate

$ java SSLPoke localhost 8843
FAILURE: javax.net.ssl.SSLHandshakeException : PKIX path building failed
         unable to find valid certification path to requested target

Connect to our IMAP+SSL mail server

$ java SSLPoke secure.emailsrvr.com 993
SUCCESS 


Error Messages

  • javax.net.ssl.SSLHandshakeException : sun.security.validator.ValidatorException: PKIX path building failed
    Java cannot authenticate the server's SSL certificate because its Certificate Authority (CA) is not present in its trusted CA store.
  • java.net.UnknownHostException
    The host name is invalid i.e. not resolvable by your DNS server
  • java.net.ConnectException : Connection refused
    Port is invalid. No server is listening on that port.
  • java.net.ConnectException : Operation timed out
    The host and port combo cannot be connected. Most likely your firewall is blocking the connection, or, the IP address of the host is incorrect.
  • javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
    There is a mismatch between host specified in input and host name in the SSL certificate.
  • Error: Could not find or load main class SSLPoke
    You are not in the directory that contains the SSLPoke.class file. cd to that directory and try again.
  • FAILURE: javax.net.ssl.SSLException : Unrecognized SSL message, plaintext connection?
    You are connecting to a non-SSL port.