0

I wrote a web service client and a plugin for it. That plugin combine some services of the web service client. On the server side, they don't have a valid SSL certificate and therefore I have some problem for testing it. I tried to bypass java security checking by this way . that work good in my web service client's test but doesn't work in my plugin's test. in plugin's test, I got This exception :

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
    at java.net.URL.openStream(URL.java:1037)
    at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:994)
    at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:395)
    at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:214)
    ... 75 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
    ... 90 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)

In Intelij, Sun classes source code doesn't available, so debug process is difficult. It can't help me. Any way, after I read similar questions and answers, several hours trial and errors, search on the web, debug and ... , my question is : Do you know any way for bypass the JVM security checking that really works in any situation ?

Community
  • 1
  • 1
Hamid
  • 153
  • 1
  • 2
  • 9
  • The link is correct, so the issue is in the code you have not shown. On the other hand you can import the server certificate in the client truststore, which is the correct way to solve the problem – pedrofb Sep 10 '17 at 18:54
  • @pedrofb Can you give me some more hint about import the server certificate in the client truststore ? Do you mean something like this question ? https://stackoverflow.com/questions/4325263/how-to-import-a-cer-certificate-into-a-java-keystore – Hamid Sep 11 '17 at 03:39
  • You need to import the SSL certificate into the default Java keystore (jre/lib/security/cacerts/) or create a custom keystore and use it in your client. See http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html – pedrofb Sep 11 '17 at 05:52
  • @pedrofb Thanks for your answer. The problem is that when I export certificate by browser, it doesn't have any hierarchy or root and certificate is invalid. I add certificate to cacerts file, but problem still exists. – Hamid Sep 11 '17 at 08:30
  • What does "is invalid" mean? is it a self-signed certificate? A self-signed certificate can perfectly be used in a SSL server – pedrofb Sep 11 '17 at 08:36
  • @pedrofb I know a bit about certificates. my issuer and subject name of certificate is different so it isn't self signed. is it correct ? – Hamid Sep 11 '17 at 08:50
  • In that case it probably will not be self-signed. You should include the root CA in cacerts, but it you included the certificate correctly, it should work too. Ensure you importe the certificate correctly and you are using the right JVM – pedrofb Sep 11 '17 at 08:55
  • @pedrofb I'm using -Djavax.net.debug=SSL and check log. I see my certificate in the list. I don't have root CA, maybe some config on the server is wrong. without CA root it doesn't work. yeah ? – Hamid Sep 11 '17 at 09:00
  • If you have included the certificate in cacerts, it should work, because then it will be considered trusted by your JVM. Review server config, because it is not serving the intermediate certificates, it could be the cause of malfunction – pedrofb Sep 11 '17 at 09:08

0 Answers0