B4J Question jRDC2 with SSL example

[Angel Garcia]

Hello all,
Wondering if there is an example of jRDC2 with SSL connection, just in order to put me on the right direction.
First I'll go threw this tutorial:
https://www.b4x.com/android/forum/t...installing-ssl-certificate.55194/#post-346876

And later go threw this tutorial:
https://www.b4x.com/android/forum/threads/server-ssl-connections.40130/

And the extra code in jrdc2 i need to add is something like this?:

Dim xSr As SslConfiguration
    xSr.Initialize
    xSr.KeyManagerPassword="SomeKeyManagerPassword"
    xSr.KeyStorePassword="SomeKeyStorePassword"
    xSr.SetKeyStorePath(File.DirAssets,"somefile.crt")
    srvr.SetSslConfiguration(xSr,17179)' a different port of the common http?
srvr.AddFilter("/*", "HttpsFilter", False)

Is this ok?

And after all that i could use https with jrdc2?, am i correct?

Many thanks all for your help!

 

[Erel]

You don't really need the filter. Just call the https link from the clients.

a different port of the common http?

Yes.

 

[Angel Garcia]

Hello,
Sorry for the super late response, i was coding some other pending features of the App.
I have already bought a security certificate from cheapsslshop, i have the 4 certs:
AAACertificateServices.crt
SectigoRSADomainValidationSecureServerCA.crt
USERTrustRSAAAACA.crt
mydomain.crt
How i create the keystore file from this point?
I've been trying to do the imports with the java keytool of this tutorial with no success:
https://www.b4x.com/android/forum/t...installing-ssl-certificate.55194/#post-346876
I have an "illegal option" exception:

Please help!

EDIT:
I finally was able to create the jetty.keystore file and imported the four certs with the "-importcert" command of keytool in this order:
AAACertificateServices.crt
USERTrustRSAAAACA.crt
SectigoRSADomainValidationSecureServerCA.crt
mydomain.crt
But i dont know if im doing it correctly because in jRDC i have a no valid keystore error:
java.lang.IllegalStateException: no valid keystore
Maybe its important to mention that i created the certificate request with the IIS tool of windows server, i dont know if that affects this, also the the bit length is 4096
Also threw the link tutorial of keytool is only requested the KeyStorePassword, where do i get the KeyManagerPassword?
Please help!!

 

[OliverA]

where do i get the KeyManagerPassword?

At times this is not needed. Don’t use it and see what happens.

 

[Angel Garcia]

Hello,
Still nothing, same error. .
Theres is an easier way to accomplish this?, i beleive we need an updated full tutorial for this, i think its quite complicated and needed for the security it provides for the jrdc server.
Many thanks all for your help

 

[Erel]

You need to put quotes around the file name as it has spaces.

 

[OliverA]

xSr.SetKeyStorePath(File.DirAssets,"somefile.crt")

Placing the keystore in the assets folder will generate the "no valid keystore" error. Try placing your generated keystore in File.DirApp and place it in the same location as your .jar file (and change the code to reflect the new location).

 

[Angel Garcia]

Hello Oliver,
Thanks that did the trick, now it works!
But now, i can't see the "test connection successful" with https, with the classic:
https://mydomain:17178/test, i get in return the "This website cannot provide a secure connection" ERR_SSL_PROTOCOL_ERROR error

I tried to make a query from B4A App with https and of course i get an error and from jRDC:
2020-10-08 23:25:05.225:WARNejh.HttpParser:qtp1232367853-19: Illegal character 0x16 in state=START for buffer HeapByteBuffer@753f21ee[p=1,l=517,c=8192,r=516]={\x16<<<\x03\x01\x02\x00\x01\x00\x01\xFc\x03\x03\\Q\x1e\x88\xA8\xD7\x0c...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}

I used the port 17179 in the SSL configuration in jRDC , and in the config file the port used is 17178
Something i don't understand is how its managed 2 ports with the jRDC??
How do i resolve this?, i need to open additional port 17179 on windows firewall??

I just want to make secure calls/queries/etc from an B4A App to jRDC server

I think i'm close but, still cant make the secure connection

Please help!!?

 

[Erel]

You need to use https://mydomain:17179/test

Something i don't understand is how its managed 2 ports with the jRDC??

There is a single relevant port: 17179

 

[Angel Garcia]

Hi Erel,
Thanks for your advice, just did as you said with https://mydomain:17179/test
And now i get a cipher error
"This website cannot provide a secure connection
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Protocol not supported
The client and server do not support the same version of SSL or encryption protocol."
Whats missing?

 

[OliverA]

What platform (B4J, B4A, B4i) is your client? What version of OS is running on your client?

 

[Angel Garcia]

Hello Oliver,
Well, the B4A App is on a Samsung J4, Android 10, but i'm executing the test url from a single web page on my laptop.
From the web page i get the error posted above using the test url, and from the App i call the endpoint https://mydomain:17179/rdc and i get "java.net.SSLHandshakeException:Handshake failed", and i dont see any query attemp or error on the jRDC log.
I don't know what is missing.
The jRDC is running on a VPS with Windows Server 2012
Maybe its important to mention that i already used the same certificate and bind it to the port 443 for performing post/get request to an aspx.net page, but the cert supplier told me that the same certificate could be used to bind it to more ports.
Whats wrong?

 

[MiguelL]

Hola Angel,

I've gone through exactly the same trouble as you did during the last few days. I finally got it working using a LetsEncrypt certificate (which has the advantage that it's "better/more" trusted than any self signed certificate.
Here are all my steps, it's pretty simple, once you get it working
https://www.b4x.com/android/forum/t...how-to-use-in-java-server.123222/#post-769944
Hope it helps.
Saludos.

 

[OliverA]

Maybe its important to mention that i already used the same certificate and bind it to the port 443 for performing post/get request to an aspx.net page

So you have a certificate imported into the IIS of the server? If so, you can export that certificate and import it into a keystore file. That should take care of the private key issue.

 

[OliverA]

For export steps, see: https://enterpriseit.co/windows-server/exporting-ssl-certificate-pfx-from-windows-server-iis/ You'll need the password you use for the export for the import to a jks file.

 

[Angel Garcia]

Here are all my steps, it's pretty simple, once you get it working
https://www.b4x.com/android/forum/t...how-to-use-in-java-server.123222/#post-769944
Hope it helps.

Hi Miguel,
i would like to try your solution, the downside of letsencrypt is that reading the FAQ they only last 3 months, and you have to keep renewing the certificates.
But if it works nice i would consider it as an option. Also i can't find the tool to create the certificates on the web page, you need to download a tool right?
Many thanks

 

[Angel Garcia]

For export steps, see: https://enterpriseit.co/windows-server/exporting-ssl-certificate-pfx-from-windows-server-iis/ You'll need the password you use for the export for the import to a jks file.

Now it works!!,
I followed this steps, exported the certificate as pfx and later used java keytool to import it as a JKS file with this command:
keytool -importkeystore -srckeystore C:\SSLCerts\mycert.pfx -srcstoretype pkcs12 -destkeystore C:\SSLCerts\mykeystore.jks -deststoretype JKS

i got a JKS file and use it in the code of the jRDC server:
xSr.KeyStorePassword="MyPassword"
xSr.SetKeyStorePath(File.DirApp,"mykeystore.jks")
srvr.SetSslConfiguration(xSr,17179)' a different port of the common 17178 jrdc uses?
srvr.Start

In the web page with the url test connection now i see the connection successful, with the padlock icon

But, there is a problem, in the B4A App with the endpoint:

https://mydomain:17179/rdc

, now i got a different error:
javax.net.ssl.SSLHandShakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found
What is that?

 

[OliverA]

Did you check the "Include all certificates in the certification path if possible" option during the export? I should be available when you pick the format of the export.

 

[Angel Garcia]

Did you check the "Include all certificates in the certification path if possible" option during the export? I should be available when you pick the format of the export.

Lol, no, because the tutorial said it should go unchecked, but, let me try an export with that option checked and will let you know

 

[MiguelL]

Hi Miguel,
i would like to try your solution, the downside of letsencrypt is that reading the FAQ they only last 3 months, and you have to keep renewing the certificates.
But if it works nice i would consider it as an option. Also i can't find the tool to create the certificates on the web page, you need to download a tool right?
Many thanks

If your are in windows (as I am for now), yes I'm not sure if there's an auto-renewal option, but you could do something with a batch file and maybe have that one running every 2 months or so with some task scheduler task. (always first do a --dry-run with certbot, as you only can do it a few times per week. If it's too early, you'd have to wait another week).
I downloaded the (beta) installer from here: https://certbot.eff.org/lets-encrypt/windows-other.html, you can download the executable below point "4" after making your choice (top of page) under "my website is running". (I can't remember well, but I think I chose "None" and "Windows").
I'll try to see if there's a way to auto-renew on windows and post it here once I find out. ( I think I saw a post of someone on this forum).