B4J Question ERR_SSL_PROTOCOL_ERROR

Philip Prins

Active Member
Licensed User
Longtime User
Hello ,

I am using B4J with ABMmaterial.
Windows PC , tried JDK and OpenJDK
Firewall 443 open.

SSL provider is Strato , the server is also from them.
Domain name linked to the server ip


When trying to connect with Chrome and Explorer i get an ERR_SSL_PROTOCOL_ERROR

1. I made a keystore using the key tool:
keytool -genkey -alias commcheckserver1.eu -keyalg RSA -keysize 2048 -keystore keystore.jks

2. Made a .csr file using this:
keytool -certreq -alias commcheckserver1.eu -file csr.csr -keystore keystore.jks

3. Openend the .csr and pasted at with SSL provider

Q1: When i create the csr file the first and last name should be the domain name:When i enter www,commcheckserver1.eu as specified in several websites it is not allowed by the SSL provider.\
Only when removing www. it is allowed.
Is this the probable cause of my problem?

4. I get 3 certificates from the SSL provider:

  1. Certificate
  2. Root-CA-Certificate
  3. Intermediate Certificate
Q3:Which one is the correct one to convert to keystore?

5.I converted the certificate to the keystore(Tried all 3) using :
keytool -keystore keystore -import -alias commcheckserver1.eu -file cert_commcheckserver1.eu.crt -trustcacerts


6 Copied the keystore to File.Dir app folder:

7.Configure SSL(443) before App start
B4X:
Private Sub ConfigureSSL (SslPort As Int)
Try
    Dim ssl As SslConfiguration
    ssl.Initialize
    ssl.SetKeyStorePath(File.DirApp, KeyStoreFile) 'path to keystore file
    ssl.KeyStorePassword = KeyStorePassword
    ssl.KeyManagerPassword = KeyKeyManagerPassword
    'ssl.EnableConscryptProvider '<---------
    srvr.SetSslConfiguration(ssl, SslPort)
    'add filter to redirect all traffic from http to https (optional)
    srvr.AddFilter("/*", "HttpsFilter", False)
   
Catch
        Log("Configure SSL Failed "&LastException)
End Try
End Sub

Q4 What is the KeyManagerPassword?I use the KeyStorePassword in the described command line but have no idea what the manager password should do?


8.Tried the following code as well without success.

B4X:
myApp.StartServerHTTP2(srvr,"srvr", 80,443,KeyStoreFile,KeyStorePassword,KeyKeyManagerPassword)

9. I noticed this in the log :
2021-06-27 17:52:40.278:INFO:eek:ejus.SslContextFactory:main: x509=X509@6f3c660a(commcheckserver1.eu,h=[commcheckserver1.eu, www.commcheckserver1.eu],w=[]) for SslContextFactory@2d9caaeb[provider=null,keyStore=file:///C:/Users/Administrator/Documents/CC_Protect/Objects/keystore,trustStore=null]

Q5 Can this be the problem?
 

Erel

B4X founder
Staff member
Licensed User
Longtime User
Only when removing www. it is allowed.
Is this the probable cause of my problem?
No. This is expected as www. is not part of the host name.

The updated instructions are here: http://www.eclipse.org/jetty/documentation/jetty-9/index.html#loading-keys-and-certificates
Look for more information in the browsers error pages.
Try to add the intermediate and root certificates. It is explained in that link.

This tool can help you understand the keystore content: https://keystore-explorer.org/
OpenSSL is also sometimes required.
 
Upvote 0

Philip Prins

Active Member
Licensed User
Longtime User
No. This is expected as www. is not part of the host name.

The updated instructions are here: http://www.eclipse.org/jetty/documentation/jetty-9/index.html#loading-keys-and-certificates
Look for more information in the browsers error pages.
Try to add the intermediate and root certificates. It is explained in that link.

This tool can help you understand the keystore content: https://keystore-explorer.org/
OpenSSL is also sometimes required.

In the browser i can see only one error:
VM552:7146 crbug/1173575, non-JS module files deprecated.
(anonymous) @ VM552:7146

I tried the Keystore Explorer and opened the keystore , certificate is valid and all my entries are there.

How to determine if OpenSSL is required?
 
Upvote 0

Philip Prins

Active Member
Licensed User
Longtime User
Start with a self signed certificate. It should work properly after you add an exception in the browser.

Once you get it working, switch to the real certificate.
Hello Erel,

Finally got it working by using the https://keystore-explorer.org/ tool

Create Keystore type PKCS12

Import certificate

Import Key (PKCS8) 'In my case it was PKCS8 , i figured it out with the examine file option in the Keystore tool

Set password

Save as keystore

Put the keystore in File.Dir

B4X:
myApp.StartServerHTTP2(srvr,"srvr", 61045,443,KeyStoreFile,KeyStorePassword,KeyKeyManagerPassword)

Dont forget to open Firewall port 443 and disable Windows IIS services ,

Thanks
 
Upvote 0
Top