0

I'm trying to debug why an https connection fails. The error I get is

sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target

The code is using Java 7's built-in truststore.

For this scenario, there is one client (written by me) run from two different machines (A and B) and one server. The connection works from A but fails with the above exception from B. I have run the following code to log the trust manager:

trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore)null);
  for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
      System.out.println(trustManager);

      if (trustManager instanceof X509TrustManager) {
          X509TrustManager x509TrustManager = (X509TrustManager)trustManager;
          for (X509Certificate c : x509TrustManager.getAcceptedIssuers())
          {
              System.out.println(c.get);
          }
      }
  }

This code logs almost the same certificates on A and B, and most importantly the root cert required for the server is present on both.

So, I'm looking for a way to inspect the connection object at runtime to determine what certificates were actually used. Is there any way to do that?

Update: I cannot get ssl debugging to work, so I need a way to do this programmatically.

Anders Ivner
  • 21
  • 4

1 Answers1

1

You can turn on SSL debugging on using -Djavax.net.debug=ssl.

This produces quite a lot of output. If that is too much for you check out the debugging JVM flags as described in this thread

Community
  • 1
  • 1
micker
  • 878
  • 6
  • 13
  • This would probably be the correct answer in most cases. However, I cannot get get ssl debug to work in this case (which I forgot to mention in my question, will update it). So I'm looking for a way to get the info programmatically. – Anders Ivner Jun 09 '16 at 09:41
  • @AndersIvner You cannot get it to work how? Works for me, for 15 years or more. – user207421 Jun 09 '16 at 10:01
  • @EJP as in, we send the flag -Djavax.net.debug=ssl, but it still won't log anything. It's a complex system and the flag works in other cases, but not in this specific case. – Anders Ivner Jun 09 '16 at 11:53
  • How are you invoking the JVM? Is this within an application container? – micker Jun 09 '16 at 13:08
  • @micker It runs in JBoss. – Anders Ivner Jun 09 '16 at 13:41
  • You may find [this](http://stackoverflow.com/questions/14730421/setting-the-right-truststore-in-jboss-7) thread applicable both for your original question and for debugging. [This](http://community.jaspersoft.com/documentation/jasperreports-server-pro-install-guide/v56/setting-jvm-options-application-servers-0) also describes how to set JVM arguments in JBoss. Let us know if this helps. – micker Jun 09 '16 at 13:49