hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher BROWN <br...@reflexe.fr>
Subject Same server, same client, SSLPeerUnverifiedException with Java 7 but not with Java 6 and HTTP Client
Date Thu, 08 Nov 2012 13:15:56 GMT
Hello,

When I run a client program I wrote under Java 6 using Apache HTTP client
4.2 and connect to one of our servers with a startssl certificate, it
works, but when I run the same program, connecting to the same server using
Java 7 on the client, it fails.  The server works fine in all web browsers
I tried.  I have tested using Windows 7 and Mac OS X 10.8.  My JDK versions
are 1.6.0_37 and 1.7.0_09.

The error being returned is javax.net.ssl.SSLPeerUnverifiedException: peer
not authenticated

I'm a bit surprised that the older JDK (6) succeeds and that it's the more
"recent" JDK (7) that triggers failure.  I had initially suspected that it
was linked to:
https://issues.apache.org/jira/browse/HTTPCLIENT-1119

...but by debugging the JDK SSL engine (see below), I'm wondering if JDK 7
doesn't have the same root certificates as JDK 6...

I have captured the SSL output using -Djavax.net.debug=all and can provide
full logs.  The appropriate sections (I've cut out some sections in
ellipsis, and only included the difference for JDK 6 output ; the
difference is at the end of the certificate chain) seem to be:

[ --- JDK 7 output --- ]

*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: EMAILADDRESS=hostmaster@reflexe.fr, CN=pi.reflexe.fr, C=FR,
OID.2.5.4.13=dY5B6zfZU7iFXNvt
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

(...)

[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: pi.reflexe.fr
  DNSName: reflexe.fr
]

(...)

chain [1] = [
[
  Version: V3
  Subject: CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure
Digital Certificate Signing, O=StartCom Ltd., C=IL
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

chain [2] = [
[
  Version: V3
  Subject: CN=StartCom Certification Authority, OU=Secure Digital
Certificate Signing, O=StartCom Ltd., C=IL
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

(...)

***
%% Invalidated:  [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
qtp1728816301-45, SEND TLSv1 ALERT:  fatal, description =
certificate_unknown
qtp1728816301-45, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 2E                               .......
qtp1728816301-45, called closeSocket()
qtp1728816301-45, handling exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
qtp1728816301-45, IOException in getSession():
 javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target

[ --- JDK6 output => differs only at end --- ]

***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=StartCom Certification Authority, OU=Secure Digital
Certificate Signing, O=StartCom Ltd., C=IL
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Thanks,
Christopher

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message