hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1262) Weird SSL issue (peer not authenticated) [www.popcornopolis.com]
Date Sun, 18 Nov 2012 12:36:58 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13499785#comment-13499785
] 

Oleg Kalnichevski commented on HTTPCLIENT-1262:
-----------------------------------------------

Hi Sebastian
The trouble is that the server presents a certificate to HttpClient which is self signed and
does not have a formal CA,
---
  Version: V3
  Subject: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit, O=SomeOrganization,
L=SomeCity, ST=SomeState, C=--
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
...
  Validity: [From: Mon Oct 15 22:46:23 CEST 2012,
               To: Tue Oct 15 22:46:23 CEST 2013]
  Issuer: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit, O=SomeOrganization,
L=SomeCity, ST=SomeState, C=--
...
---
whereas the certificate presented to Firefox is clearly different and has a proper CA chain.
See screenshot attached.

The only theory I can think of is that www.popcornopolis.com is effectively a clever reverse
proxy that can distribute SSL sessions across different hosts based on some characteristics
of the SSL handshake messages. Sessions initiated by common browsers get directed to the target
host whereas those initiated by what believed to be a crawler get directed to some development
host with a self signed certificate. I can easily be wrong here, though.

Oleg
                
> Weird SSL issue (peer not authenticated) [www.popcornopolis.com]
> ----------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1262
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1262
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpAuth, HttpClient
>    Affects Versions: 4.2.2
>         Environment: JDK 1.6, Mac OS X 10.{6,8}, Ubuntu
>            Reporter: C├ędric Chantepie
>            Priority: Trivial
>              Labels: pki, ssl
>         Attachments: ssl-ca-chain.png
>
>
> Try to request some HTTPS websites, we get 'PKIX path building failed' error.
> Seems it's about intermediate/chain certificate.
> Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1764)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:958)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
> at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
> at org.jirafe.shaded.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
> at org.jirafe.shaded.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
> at org.jirafe.shaded.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
> at org.jirafe.shaded.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
> at org.jirafe.shaded.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
> at org.jirafe.shaded.httpclient.HttpClient.executeMethod(HttpClient.java:397)
> at org.jirafe.shaded.httpclient.HttpClient.executeMethod(HttpClient.java:323)
> at Test.main(Test.java:22)
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
> at sun.security.validator.Validator.validate(Validator.java:218)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
> ... 17 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
> ... 23 more

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message