Java -> Nats Tls connection Extended key usage does not permit use for TLS server authentication from what?

V

Viktor Maksimov2016-07-22 09:38:33

Java

Viktor Maksimov, 2016-07-22 09:38:33

Hello.
In general, I have a Nats server and I need to attach to it, nats uses channel encryption without client authorization by key.
There is a rootCA server key and a private key, respectively, in the best traditions of java I do keystore.jks and truststore.jks, in the first place the private and server certificates in the last RootCA
Below is a piece of code for an example ..

public void testReadKeystore(){

        final File keyStore = new File("/path/nats/keystore.jks");
        final File trustStore = new File("/path/nats/truststore.jks");

        KeyManagerFactory   kmf = null;
        TrustManagerFactory tmf = null;

        try {
            kmf = KeyManagerFactory.getInstance("SunX509", "SunJSSE");

            final char[] keyPassPhrase = "b596d6ecb46769bc52acdf0a38d5ee26168e44a0".toCharArray();
            final KeyStore ks = KeyStore.getInstance("JKS");
            ks.load(new FileInputStream(keyStore), keyPassPhrase);

            kmf.init(ks, keyPassPhrase);
        } catch (NoSuchAlgorithmException | CertificateException | KeyStoreException | UnrecoverableKeyException |
                NoSuchProviderException| IOException e){
            log.error("Error in opening keystore => " + e.getMessage());
        }

        //setup and load trust store

        try{
            final char[] trustPassPhrase = "b596d6ecb46769bc52acdf0a38d5ee26168e44a0".toCharArray();
            final KeyStore tks = KeyStore.getInstance("JKS");
            tks.load(new FileInputStream(trustStore), trustPassPhrase);
            tmf = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
            tmf.init(tks);
        }catch (NoSuchAlgorithmException | CertificateException | KeyStoreException | NoSuchProviderException |
                IOException e){
            log.error("Error in opening truststore => " + e.getMessage());

        }

        // create context

        try {
            if (kmf != null && tmf != null){

                SSLContext sslContext = SSLContext.getInstance("TLS");
                sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());

                ConnectionFactory connectionFactory = new ConnectionFactory();
                //connectionFactory.setConnectionName(appName);
                //connectionFactory.setPingInterval(2000);
                connectionFactory.setSecure(true);
                connectionFactory.setTlsDebug(true);
                connectionFactory.setSSLContext(sslContext);
                //connectionFactory.setConnectionTimeout(2000);
                connectionFactory.setVerbose(true);
                connectionFactory.setServers("nats://[email protected]:4222");
                //connectionFactory.setReconnectBufSize(60000);
                //connectionFactory.setReconnectAllowed(true);
                connectionFactory.createConnection();
            } else {
                log.error("Keystore and trust store not initialized...");
            }

        } catch (NoSuchAlgorithmException | IOException | TimeoutException | KeyManagementException e) {
            log.error(e.getMessage());
        }

    }

As a result, we get

11:06:50.330 [main] DEBUG io.nats.client.ConnectionImpl - Connecting to nats://[email protected]:4222
11:06:50.550 [main] DEBUG io.nats.client.ConnectionImpl - Connected to nats:/ /[email protected]:4222
11:06:51.117 [main] ERROR SslTlsComplexTest - sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS server authentication

Actually a question. Extended key usage does not permit use for TLS server authentication <- how to deal with this.
PS. From what I understand, there is a problem if the TLS certificate is wildcard.
I am not strong in cryptography and I can’t make out abstract stories about the cause of this error. Maybe there is a knowledgeable?