0

I have set up a VPS hosting two websites with Apache. Both have a (valid) SSL configuration with a StartSSL certificate, and I have no problem accessing them from a desktop or mobile browser.

I am trying to access an API that one of the websites runs using SSL, but I'm having problems. I was first using Apache HttpClient (deprecated), but it looks like it can't choose the proper certificate on the server because it doesn't support Server Name Indication and that the workaround is using HttpsURLConnection.

So I currently have this code, shamelessly copied from the Internet:

String url = "https://mywebsite.ext/api/xxx";
URL obj = new URL(url);
HttpsURLConnection con = (HttpsURLConnection) obj.openConnection();

//add reuqest header
con.setRequestMethod("POST");

String urlParameters = "blah=foo&bar=xx";

// Send post request
con.setDoOutput(true);
DataOutputStream wr = new DataOutputStream(con.getOutputStream());
wr.writeBytes(urlParameters);
wr.flush();
wr.close();

int responseCode = con.getResponseCode();
// ...

And what I get is:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

(Which of course I don't get if I try to access for instance https://google.com)

After googling, I found that the issue seems to be that the root certificate of StartSSL is not recognized by the JVM (desktop) / android. I don't want to import it manually because the finality of this code is to run inside an Android application. I don't want either to loose all the interest of SSL by allowing any certificate, as I have seen in many answers.

Any insights?

Thank you

christophetd
  • 3,834
  • 20
  • 33
  • Are you serving the correct intermediate certificate(s)? You can use a tool like SSL Labs SSL Test to see if you're sending all intermediate certs needed to build the certificate chain. – Anand Bhat Oct 21 '15 at 14:54
  • Yes, the intermediate certificate is correctly sent. Checked with SSL Labs – christophetd Oct 21 '15 at 20:16

1 Answers1

1

If your CA is not trusted by your platform you don't have many options beyond manually adding the CA to the platform's root CA trust list or getting your certificates signed by one of the CA's your platform trusts.

JJF
  • 2,681
  • 2
  • 18
  • 31
  • That's what I suspected. :/ So basically I have no other choice than generating new certificates from another CA? – christophetd Oct 21 '15 at 13:23
  • ... or manually add StartSsl to your platform's trusted list. That would be my understanding. – JJF Oct 21 '15 at 13:28
  • 1
    The major qs here is not how to add the CA to a trusted CA list in your keystore, but why it's not there by default. An obvious answer is - security considerations. If Java doesn't trust it by default, we probably should not either or at least do our own research to understand how credible this CA is. A quick search gives many results describing their security problems in 2011. – Oleg Gryb Mar 22 '16 at 18:57