cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Jeffrey (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-5107) PKIX path building failed exception when validating server certificate chain (after release 2.5.10)
Date Fri, 05 Jul 2013 06:27:48 GMT

     [ https://issues.apache.org/jira/browse/CXF-5107?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Mark Jeffrey updated CXF-5107:
------------------------------

    Description: 
I seem to be having the same issue as here: CXF-4355.
I downgrading from 2.7.5 to 2.5.2 and then the error disappeared.

I have my code working for the versions under 2.6.0 that I tried ( 2.5.2, 2.5.7, 2.5.9 and
2.5.10) 
All versions I tried from 2.6:  2.6.0, 2.7.5, 3.0.0-SNAPSHOT (SVN revision 1499610, 4-July-2013)
failed.
I tried the trunk because I saw the issue CXF-5075 and thought it might be related (it wasn't)


The main difference with my code and  your testcases is that the server has a chain of 3 certificates
with the root CA being self signed.
(We are also using client side SSL but I don't think this is related).

In my truststore I have all the certificates in the chain (I get the same behaviour with just
the root certificate).

I tried to produce a testcase (to show it failing on 2.7.5 and passing on 2.5.2) from the
sample: wsdl_first_https but didn't manage to get my keystore correct and it failed on server
startup.
I will try again but maybe you have a suitable keystore already?

We're using Java6 but I also tried Java7 and had the same result.

I tried to see what might have caused the change but couldn't really see anthing between 2.5.2
and 2.6.0 that may have caused it (but there were a lot of changes so I could easily have
missed it).
Debugging didn't shed any light either.
The service I am connecting to is a third party so I cannot change it.

I am setting up the truststore programmatically:
    private static void setupTrustedCertificates(TLSClientParameters tlsClientParameters)
{
        KeyStore trustStore = getKeyStore(trustStoreLoc);
        TrustManager[] myTrustStoreKeyManagers = getTrustManagers(trustStore);
        tlsClientParameters.setTrustManagers(myTrustStoreKeyManagers);
    }
    private static TrustManager[] getTrustManagers(KeyStore trustStore) {
        try {
            String alg = KeyManagerFactory.getDefaultAlgorithm();
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(alg);
            trustManagerFactory.init(trustStore);
            return trustManagerFactory.getTrustManagers();
        } catch (Exception e) {
            throw throwCleanRuntimeException(e);
        }
    }


Any ideas of something I could try?

Stacktrace is below. I can email the full SSL debug logging but didn't want to attach it here
as it is slightly sensitive.

javax.xml.ws.WebServiceException: Could not send Message.
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:144)
	at $Proxy38.sts(Unknown Source)
	at up.experian.client.ws.ExperianIbanService.authenticate(ExperianIbanService.java:53)
	at up.experian.client.ws.ExperianIbanServiceTest.testAuthenticate(ExperianIbanServiceTest.java:59)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at org.junit.internal.runners.TestMethod.invoke(TestMethod.java:68)
	at org.junit.internal.runners.MethodRoadie.runTestMethod(MethodRoadie.java:107)
	at org.unitils.UnitilsJUnit4TestClassRunner$TestListenerInvokingMethodRoadie.runTestMethod(UnitilsJUnit4TestClassRunner.java:174)
	at org.junit.internal.runners.MethodRoadie$2.run(MethodRoadie.java:88)
	at org.junit.internal.runners.MethodRoadie.runBeforesThenTestThenAfters(MethodRoadie.java:96)
	at org.unitils.UnitilsJUnit4TestClassRunner$TestListenerInvokingMethodRoadie.runBeforesThenTestThenAfters(UnitilsJUnit4TestClassRunner.java:156)
	at org.junit.internal.runners.MethodRoadie.runTest(MethodRoadie.java:86)
	at org.junit.internal.runners.MethodRoadie.run(MethodRoadie.java:49)
	at org.unitils.UnitilsJUnit4TestClassRunner.invokeTestMethod(UnitilsJUnit4TestClassRunner.java:95)
	at org.junit.internal.runners.JUnit4ClassRunner.runMethods(JUnit4ClassRunner.java:61)
	at org.unitils.UnitilsJUnit4TestClassRunner.access$000(UnitilsJUnit4TestClassRunner.java:44)
	at org.unitils.UnitilsJUnit4TestClassRunner$1.run(UnitilsJUnit4TestClassRunner.java:62)
	at org.junit.internal.runners.ClassRoadie.runUnprotected(ClassRoadie.java:33)
	at org.junit.internal.runners.ClassRoadie.runProtected(ClassRoadie.java:45)
	at org.unitils.UnitilsJUnit4TestClassRunner.run(UnitilsJUnit4TestClassRunner.java:68)
	at org.junit.runner.JUnitCore.run(JUnitCore.java:160)
	at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:77)
	at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:195)
	at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:63)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://secure.authenticator.uat.uk.experian.com/WASPAuthenticator/TokenService.asmx:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322)
	at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
	at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223)
	at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
	at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622)
	at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
	at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133)
	... 31 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1868)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1337)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:998)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1087)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
	at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1282)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1233)
	at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195)
	at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
	at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295)
	... 43 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1319)
	... 61 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
	... 67 more


  was:
I seem to be having the same issue as here: CXF-4355.
I downgrading from 2.7.6 to 2.5.2 and then the error disappeared.

I have my code working for the versions under 2.6.0 that I tried ( 2.5.2, 2.5.7, 2.5.9 and
2.5.10) 
All versions I tried from 2.6:  2.6.0, 2.7.5, 3.0.0-SNAPSHOT (SVN revision 1499610, 4-July-2013)
failed.
I tried the trunk because I saw the issue CXF-5075 and thought it might be related (it wasn't)


The main difference with my code and  your testcases is that the server has a chain of 3 certificates
with the root CA being self signed.
(We are also using client side SSL but I don't think this is related).

In my truststore I have all the certificates in the chain (I get the same behaviour with just
the root certificate).

I tried to produce a testcase (to show it failing on 2.7.5 and passing on 2.5.2) from the
sample: wsdl_first_https but didn't manage to get my keystore correct and it failed on server
startup.
I will try again but maybe you have a suitable keystore already?

We're using Java6 but I also tried Java7 and had the same result.

I tried to see what might have caused the change but couldn't really see anthing between 2.5.2
and 2.6.0 that may have caused it (but there were a lot of changes so I could easily have
missed it).
Debugging didn't shed any light either.
The service I am connecting to is a third party so I cannot change it.

I am setting up the truststore programmatically:
    private static void setupTrustedCertificates(TLSClientParameters tlsClientParameters)
{
        KeyStore trustStore = getKeyStore(trustStoreLoc);
        TrustManager[] myTrustStoreKeyManagers = getTrustManagers(trustStore);
        tlsClientParameters.setTrustManagers(myTrustStoreKeyManagers);
    }
    private static TrustManager[] getTrustManagers(KeyStore trustStore) {
        try {
            String alg = KeyManagerFactory.getDefaultAlgorithm();
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(alg);
            trustManagerFactory.init(trustStore);
            return trustManagerFactory.getTrustManagers();
        } catch (Exception e) {
            throw throwCleanRuntimeException(e);
        }
    }


Any ideas of something I could try?

Stacktrace is below. I can email the full SSL debug logging but didn't want to attach it here
as it is slightly sensitive.

javax.xml.ws.WebServiceException: Could not send Message.
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:144)
	at $Proxy38.sts(Unknown Source)
	at up.experian.client.ws.ExperianIbanService.authenticate(ExperianIbanService.java:53)
	at up.experian.client.ws.ExperianIbanServiceTest.testAuthenticate(ExperianIbanServiceTest.java:59)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at org.junit.internal.runners.TestMethod.invoke(TestMethod.java:68)
	at org.junit.internal.runners.MethodRoadie.runTestMethod(MethodRoadie.java:107)
	at org.unitils.UnitilsJUnit4TestClassRunner$TestListenerInvokingMethodRoadie.runTestMethod(UnitilsJUnit4TestClassRunner.java:174)
	at org.junit.internal.runners.MethodRoadie$2.run(MethodRoadie.java:88)
	at org.junit.internal.runners.MethodRoadie.runBeforesThenTestThenAfters(MethodRoadie.java:96)
	at org.unitils.UnitilsJUnit4TestClassRunner$TestListenerInvokingMethodRoadie.runBeforesThenTestThenAfters(UnitilsJUnit4TestClassRunner.java:156)
	at org.junit.internal.runners.MethodRoadie.runTest(MethodRoadie.java:86)
	at org.junit.internal.runners.MethodRoadie.run(MethodRoadie.java:49)
	at org.unitils.UnitilsJUnit4TestClassRunner.invokeTestMethod(UnitilsJUnit4TestClassRunner.java:95)
	at org.junit.internal.runners.JUnit4ClassRunner.runMethods(JUnit4ClassRunner.java:61)
	at org.unitils.UnitilsJUnit4TestClassRunner.access$000(UnitilsJUnit4TestClassRunner.java:44)
	at org.unitils.UnitilsJUnit4TestClassRunner$1.run(UnitilsJUnit4TestClassRunner.java:62)
	at org.junit.internal.runners.ClassRoadie.runUnprotected(ClassRoadie.java:33)
	at org.junit.internal.runners.ClassRoadie.runProtected(ClassRoadie.java:45)
	at org.unitils.UnitilsJUnit4TestClassRunner.run(UnitilsJUnit4TestClassRunner.java:68)
	at org.junit.runner.JUnitCore.run(JUnitCore.java:160)
	at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:77)
	at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:195)
	at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:63)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://secure.authenticator.uat.uk.experian.com/WASPAuthenticator/TokenService.asmx:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322)
	at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
	at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223)
	at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
	at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622)
	at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
	at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133)
	... 31 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1868)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1337)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:998)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1087)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
	at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1282)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1233)
	at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195)
	at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
	at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295)
	... 43 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1319)
	... 61 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
	... 67 more


    
> PKIX path building failed exception when validating server certificate chain (after release
2.5.10)
> ---------------------------------------------------------------------------------------------------
>
>                 Key: CXF-5107
>                 URL: https://issues.apache.org/jira/browse/CXF-5107
>             Project: CXF
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.7.5
>            Reporter: Mark Jeffrey
>         Attachments: showcerts.txt
>
>
> I seem to be having the same issue as here: CXF-4355.
> I downgrading from 2.7.5 to 2.5.2 and then the error disappeared.
> I have my code working for the versions under 2.6.0 that I tried ( 2.5.2, 2.5.7, 2.5.9
and 2.5.10) 
> All versions I tried from 2.6:  2.6.0, 2.7.5, 3.0.0-SNAPSHOT (SVN revision 1499610, 4-July-2013)
failed.
> I tried the trunk because I saw the issue CXF-5075 and thought it might be related (it
wasn't) 
> The main difference with my code and  your testcases is that the server has a chain of
3 certificates with the root CA being self signed.
> (We are also using client side SSL but I don't think this is related).
> In my truststore I have all the certificates in the chain (I get the same behaviour with
just the root certificate).
> I tried to produce a testcase (to show it failing on 2.7.5 and passing on 2.5.2) from
the sample: wsdl_first_https but didn't manage to get my keystore correct and it failed on
server startup.
> I will try again but maybe you have a suitable keystore already?
> We're using Java6 but I also tried Java7 and had the same result.
> I tried to see what might have caused the change but couldn't really see anthing between
2.5.2 and 2.6.0 that may have caused it (but there were a lot of changes so I could easily
have missed it).
> Debugging didn't shed any light either.
> The service I am connecting to is a third party so I cannot change it.
> I am setting up the truststore programmatically:
>     private static void setupTrustedCertificates(TLSClientParameters tlsClientParameters)
{
>         KeyStore trustStore = getKeyStore(trustStoreLoc);
>         TrustManager[] myTrustStoreKeyManagers = getTrustManagers(trustStore);
>         tlsClientParameters.setTrustManagers(myTrustStoreKeyManagers);
>     }
>     private static TrustManager[] getTrustManagers(KeyStore trustStore) {
>         try {
>             String alg = KeyManagerFactory.getDefaultAlgorithm();
>             TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(alg);
>             trustManagerFactory.init(trustStore);
>             return trustManagerFactory.getTrustManagers();
>         } catch (Exception e) {
>             throw throwCleanRuntimeException(e);
>         }
>     }
> Any ideas of something I could try?
> Stacktrace is below. I can email the full SSL debug logging but didn't want to attach
it here as it is slightly sensitive.
> javax.xml.ws.WebServiceException: Could not send Message.
> 	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:144)
> 	at $Proxy38.sts(Unknown Source)
> 	at up.experian.client.ws.ExperianIbanService.authenticate(ExperianIbanService.java:53)
> 	at up.experian.client.ws.ExperianIbanServiceTest.testAuthenticate(ExperianIbanServiceTest.java:59)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at org.junit.internal.runners.TestMethod.invoke(TestMethod.java:68)
> 	at org.junit.internal.runners.MethodRoadie.runTestMethod(MethodRoadie.java:107)
> 	at org.unitils.UnitilsJUnit4TestClassRunner$TestListenerInvokingMethodRoadie.runTestMethod(UnitilsJUnit4TestClassRunner.java:174)
> 	at org.junit.internal.runners.MethodRoadie$2.run(MethodRoadie.java:88)
> 	at org.junit.internal.runners.MethodRoadie.runBeforesThenTestThenAfters(MethodRoadie.java:96)
> 	at org.unitils.UnitilsJUnit4TestClassRunner$TestListenerInvokingMethodRoadie.runBeforesThenTestThenAfters(UnitilsJUnit4TestClassRunner.java:156)
> 	at org.junit.internal.runners.MethodRoadie.runTest(MethodRoadie.java:86)
> 	at org.junit.internal.runners.MethodRoadie.run(MethodRoadie.java:49)
> 	at org.unitils.UnitilsJUnit4TestClassRunner.invokeTestMethod(UnitilsJUnit4TestClassRunner.java:95)
> 	at org.junit.internal.runners.JUnit4ClassRunner.runMethods(JUnit4ClassRunner.java:61)
> 	at org.unitils.UnitilsJUnit4TestClassRunner.access$000(UnitilsJUnit4TestClassRunner.java:44)
> 	at org.unitils.UnitilsJUnit4TestClassRunner$1.run(UnitilsJUnit4TestClassRunner.java:62)
> 	at org.junit.internal.runners.ClassRoadie.runUnprotected(ClassRoadie.java:33)
> 	at org.junit.internal.runners.ClassRoadie.runProtected(ClassRoadie.java:45)
> 	at org.unitils.UnitilsJUnit4TestClassRunner.run(UnitilsJUnit4TestClassRunner.java:68)
> 	at org.junit.runner.JUnitCore.run(JUnitCore.java:160)
> 	at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:77)
> 	at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:195)
> 	at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:63)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> 	at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
> Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://secure.authenticator.uat.uk.experian.com/WASPAuthenticator/TokenService.asmx:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
> 	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> 	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
> 	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> 	at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
> 	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338)
> 	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322)
> 	at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
> 	at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223)
> 	at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
> 	at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622)
> 	at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
> 	at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
> 	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
> 	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133)
> 	... 31 more
> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
> 	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> 	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1868)
> 	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
> 	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
> 	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1337)
> 	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
> 	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
> 	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
> 	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:998)
> 	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
> 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
> 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
> 	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523)
> 	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> 	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1087)
> 	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
> 	at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168)
> 	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1282)
> 	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1233)
> 	at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195)
> 	at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
> 	at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
> 	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295)
> 	... 43 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
> 	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
> 	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> 	at sun.security.validator.Validator.validate(Validator.java:260)
> 	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
> 	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
> 	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
> 	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1319)
> 	... 61 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
> 	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
> 	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
> 	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
> 	... 67 more

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message