Return-Path: X-Original-To: apmail-cxf-issues-archive@www.apache.org Delivered-To: apmail-cxf-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9226A10120 for ; Thu, 4 Jul 2013 12:13:49 +0000 (UTC) Received: (qmail 87809 invoked by uid 500); 4 Jul 2013 12:13:49 -0000 Delivered-To: apmail-cxf-issues-archive@cxf.apache.org Received: (qmail 87790 invoked by uid 500); 4 Jul 2013 12:13:48 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 87777 invoked by uid 99); 4 Jul 2013 12:13:48 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Jul 2013 12:13:48 +0000 Date: Thu, 4 Jul 2013 12:13:48 +0000 (UTC) From: "Mark Jeffrey (JIRA)" To: issues@cxf.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (CXF-5107) PKIX path building failed exception when validating server certificate chain (after release 2.5.10) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CXF-5107?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mark Jeffrey updated CXF-5107: ------------------------------ Attachment: showcerts.txt File as a result of: openssl s_client -connect secure.authenticator.uk.experian.com:443 -showcerts > showcerts.txt > PKIX path building failed exception when validating server certificate chain (after release 2.5.10) > --------------------------------------------------------------------------------------------------- > > Key: CXF-5107 > URL: https://issues.apache.org/jira/browse/CXF-5107 > Project: CXF > Issue Type: Bug > Components: Core > Affects Versions: 2.7.5 > Reporter: Mark Jeffrey > Attachments: showcerts.txt > > > I seem to be having the same issue as here: CXF-4355. > I downgrading from 2.7.6 to 2.5.2 and then the error disappeared. > I have my code working for the versions under 2.6.0 that I tried ( 2.5.2, 2.5.7, 2.5.9 and 2.5.10) > All version I tried from 2.6: 2.6.0, 2.7.5, 3.0.0-SNAPSHOT (SVN revision 1499610, 4-July-2013). > I tried the trunk because I saw the issue CXF-5075 and thought it might be related (it wasn't) > The main difference with my code and your testcases is that the server has a chain of 3 certificates with the root CA being self signed. > (We are also using client side SSL but I don't think this is related). > In my truststore I have all the certificates in the chain (I get the same behaviour with just the root certificate). > I tried to produce a testcase (to show it failing on 2.7.5 and passing on 2.5.2) from the sample: wsdl_first_https but didn't manage to get my keystore correct and it failed on server startup. > I will try again but maybe you have a suitable keystore already? > We're using Java6 but I also tried Java7 and had the same result. > I tried to see what might have caused the change but couldn't really see anthing between 2.5.2 and 2.6.0 that may have caused it (but there were a lot of changes so I could easily have missed it). > Debugging didn't shed any light either. > Any Ideas? > Stacktrace is below. I can email the full SSL debug logging but didn't want to attach it here as it is slightly sensitive. > javax.xml.ws.WebServiceException: Could not send Message. > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:144) > at $Proxy38.sts(Unknown Source) > at up.experian.client.ws.ExperianIbanService.authenticate(ExperianIbanService.java:53) > at up.experian.client.ws.ExperianIbanServiceTest.testAuthenticate(ExperianIbanServiceTest.java:59) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at org.junit.internal.runners.TestMethod.invoke(TestMethod.java:68) > at org.junit.internal.runners.MethodRoadie.runTestMethod(MethodRoadie.java:107) > at org.unitils.UnitilsJUnit4TestClassRunner$TestListenerInvokingMethodRoadie.runTestMethod(UnitilsJUnit4TestClassRunner.java:174) > at org.junit.internal.runners.MethodRoadie$2.run(MethodRoadie.java:88) > at org.junit.internal.runners.MethodRoadie.runBeforesThenTestThenAfters(MethodRoadie.java:96) > at org.unitils.UnitilsJUnit4TestClassRunner$TestListenerInvokingMethodRoadie.runBeforesThenTestThenAfters(UnitilsJUnit4TestClassRunner.java:156) > at org.junit.internal.runners.MethodRoadie.runTest(MethodRoadie.java:86) > at org.junit.internal.runners.MethodRoadie.run(MethodRoadie.java:49) > at org.unitils.UnitilsJUnit4TestClassRunner.invokeTestMethod(UnitilsJUnit4TestClassRunner.java:95) > at org.junit.internal.runners.JUnit4ClassRunner.runMethods(JUnit4ClassRunner.java:61) > at org.unitils.UnitilsJUnit4TestClassRunner.access$000(UnitilsJUnit4TestClassRunner.java:44) > at org.unitils.UnitilsJUnit4TestClassRunner$1.run(UnitilsJUnit4TestClassRunner.java:62) > at org.junit.internal.runners.ClassRoadie.runUnprotected(ClassRoadie.java:33) > at org.junit.internal.runners.ClassRoadie.runProtected(ClassRoadie.java:45) > at org.unitils.UnitilsJUnit4TestClassRunner.run(UnitilsJUnit4TestClassRunner.java:68) > at org.junit.runner.JUnitCore.run(JUnitCore.java:160) > at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:77) > at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:195) > at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:63) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) > Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://secure.authenticator.uat.uk.experian.com/WASPAuthenticator/TokenService.asmx: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:525) > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338) > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322) > at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50) > at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223) > at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622) > at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133) > ... 31 more > Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1868) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) > at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1337) > at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:998) > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305) > at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523) > at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1087) > at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) > at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168) > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1282) > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1233) > at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195) > at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) > at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295) > ... 43 more > Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) > at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > at sun.security.validator.Validator.validate(Validator.java:260) > at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) > at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) > at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1319) > ... 61 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) > ... 67 more -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira