0

Built a simple https client.

package src;

import java.net.URL;
import java.io.*;
import javax.net.ssl.HttpsURLConnection;

public class JavaHttpsExample
{
    public static void main(String[] args) throws Exception {
        String httpsURL = "https://services.gradle.org/";
        URL myUrl = new URL(httpsURL);
        HttpsURLConnection conn = (HttpsURLConnection)myUrl.openConnection();
        InputStream is = conn.getInputStream();
        InputStreamReader isr = new InputStreamReader(is);
        BufferedReader br = new BufferedReader(isr);

        String inputLine;

        while ((inputLine = br.readLine()) != null) {
            System.out.println(inputLine);
        }

        br.close();
    }

}

An attempt to open a connection on Windows 10 Pro build 19044 crashes with an error:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
...

The connection on Windows 8.1 Pro build 6.3.9600 is successful. On both systems it is used:

java version "17.0.5" 2022-10-18 LTS                                           
Java(TM) SE Runtime Environment (build 17.0.5+9-LTS-191)                       
Java HotSpot(TM) 64-Bit Server VM (build 17.0.5+9-LTS-191, mixed mode, sharing)

Run with -Djavax.net.debug=ssl:handshake

A fragment of the log on Windows 10:

...
javax.net.ssl|DEBUG|10|main|CertificateMessage.java:366|Consuming server Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "008464BF921D4424172C45933D35C53139",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=Generic Root CA 3, C=EN",
    "not before"         : "2022-05-10 03:00:00.000",
    "not  after"         : "2023-05-11 02:59:59.000",
    "subject"            : "CN=gradle.org, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:false
          PathLen: undefined
        ]
      },
      {
        ObjectId: 2.5.29.37 Criticality=false
        ExtendedKeyUsages [
          serverAuth
          clientAuth
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          DNSName: gradle.org
          DNSName: *.gradle.org
        ]
      }
    ]}
]
)
...

A fragment of the log on Windows 8:

...
javax.net.ssl|DEBUG|10|main|CertificateMessage.java:366|Consuming server Certificate handshake message (
    "Certificates": [
      "certificate" : {
         "version"            : "v3",
         "serial number"      : "04B9BF6E8CBB0976E5DA72B7CB24FD00",
         "signature algorithm": "SHA256withECDSA",
         "issuer"             : "CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US",
         "not before"         : "2022-05-10 03:00:00.000",
         "not  after"         : "2023-05-11 02:59:59.000",
         "subject"            : "CN=gradle.org, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US",
         "subject public key" : "EC",
         "extensions"         : [
            {
              ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
            },
            {
              ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
              AuthorityInfoAccess [
                 [
                  accessMethod: ocsp
                  accessLocation: URIName: http://ocsp.digicert.com
              ,
                  accessMethod: caIssuers
                  accessLocation: URIName: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt
              ]
              ]
            },
... and then the chain of certificates

I tried it with various sites. The result is the same – error. All sites are accessible from the browser.

Why is an incorrect certificate returned in Windows 10? How to fix it?

A similar question is here Unable to access any HTTPS site with any Java JRE on Windows 10

GorDAn
  • 1
  • 2
  • Does this answer your question? [Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target](https://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find) – Jesse Oct 26 '22 at 17:18
  • The recommendations given there did not help. In Windows 8, http sites are opened without any manipulation of the certificate store. – GorDAn Oct 26 '22 at 18:07
  • 2
    Although the servers at `services.gradle.org` do have both RSA and EC certs (see https://www.ssllabs.com/ssltest/analyze.html?d=services.gradle.org) your cert issued by "CN=Generic Root CA 3, C=EN" is not one of them, is not in the transparency logs, and is clearly invalid -- no public CA is named 'Generic Root'. Apparently **your Win10 connection (but not Win8) is being intercepted** by something, like a network firewall or IDS/IPS/DLP or on the machine by antivirus/endpoint-security/device-management. You'll need to find out what is doing this and either stop it or get&use its root. – dave_thompson_085 Oct 26 '22 at 21:45
  • 1
    PS: most on-machine interceptors, and in a business environment (i.e. a Windows domain) off-machine ones also, have their root inserted automatically in the Windows cert store(s), which causes IE, Edge, and Chrome to trust them -- but not Firefox at least in the past (recent versions of Firefox _can_ read the Windows store if configured), and of course not Java. What browser(s) are you checking? – dave_thompson_085 Oct 26 '22 at 21:47
  • @dave_thompson_085 thanks for the comment. I use Google Chrome. I also suspect an antivirus. But for now I have problems disabling it. – GorDAn Oct 27 '22 at 16:49

0 Answers0