tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: SSL Handshake Exceptions
Date Mon, 11 May 2015 21:42:58 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Andy,

On 5/11/15 4:50 PM, Andy Wang wrote:
> Honestly, I'm going to be a little purposefully obtuse here. 
> Manipulating your trust store is a security step.  You really need
> to understand what you're doing and why, so I'd suggest you do some
> google searches to read up on it using keywords pulled out of my
> original response.

+1

> I will add one more thing.  Your original stack trace showed the 
> webserver to be some com.redwood.r2w class.  Quick googling finds
> that this is some commercial product.  You might want to try the
> support channels from your vendor as they may have special
> instructions for trusting self-signed certs.

Also, the underlying library is Apache Components HttpClient. You
probably won't just be able to set a system-wide trust-store and be
able to use that. I agree with Andy that you should contact your
vendor about how to configure trust for remote websites (the one with
the self-signed certificate).

- -chris

> On 05/11/2015 02:30 PM, jairaj kamal wrote:
>> Hi,
>> 
>> Can you share the steps to import the certificate into the
>> jssecacerts truststore, my client is webserver.
>> 
>> *Jairaj Kamal*
>> 
>> 
>> On Mon, May 11, 2015 at 2:16 PM, Andy Wang <awang@ptc.com>
>> wrote:
>> 
>>> 
>>> 
>>> On 05/11/2015 01:24 PM, jairaj kamal wrote:
>>> 
>>>> javax.net.ssl.SSLHandshakeException: 
>>>> sun.security.validator.ValidatorException: PKIX path building
>>>> failed: 
>>>> sun.security.provider.certpath.SunCertPathBuilderException:
>>>> unable to find valid certification path to requested target
>>>> 
>>> 
>>> This usually means that the ssl client (the client that's
>>> originating the direct connection to the ssl server) is unable
>>> to construct a proper certificate trust path for the server.
>>> 
>>> As you noted, you used a self-signed cert.  This means that you
>>> need to import the certificate into the jssecacerts truststore
>>> (or if your client has it's own truststore, it needs to be
>>> imported there).
>>> 
>>> Andy
>>> 
>>> 
>>> --------------------------------------------------------------------
- -
>>>
>>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>> 
>>> 
>> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVUSJhAAoJEBzwKT+lPKRYep0P/RjpvS85Q9RyizOU/Yhi0ZSn
5hjJ4lZ5yaQ8vAwafLKdpPWEU0EnDpcaJ7bWR/gtAkPA/OBNPY6qnbzgmP0S+QIB
ql3blINSSC9I39xsAgwwJki24PKKdR6XOPJLpkDhTWI/81D/i40tBnwuHRhAEq14
oTkoThkHNOkDAyr+ZL3iLVw2q+5ICOzihxsxsB097FXP9W0ViaD5rAu/bMCScw6+
L4LrFMj5LfSRLls5lKz5s9yaIxtosIVav7rm/GMJwwhbeR/f1wSB6xqvLDC5i8OR
PTv3k+4ZyfuUzNSWLiC4Bx6SgqeWfTiVA1/bXGrpMZhGr9vaVrqzt3fc0fpHMbRx
+p0rUJQVmSAydEGyWAKTTuJnNmZ3PMu+VzHD7HrLLadZQebHp7Bi4QCVi/iiGZnd
uLKgu5MnuV9E3zDo7+boD+rbye+OxpQZIRfF69AcFPXEMlroN+As/Kpmnf/sUZgL
SomYXAC1eVbxXYOmthrd4KPDsDOmW5JGhRcT0X7BRb0M8v1tkxSQzWLs63jCyZTG
r+70g7Nn19s19WDgtuKJ4dYmXLDw2v35zPRX880uE+C7pe7gbtY2aa+bPVeL3g8x
MZWbnDpMFVoTOvaj727yU8aPck1reO6y0Mw6CdFdXdBmng3vxFGbL7gYYO98R0yE
n354x+6jDin21x3unbWF
=rkfr
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message