[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] jetty SSL outgoing connections: unable to find valid certification path to requested target
|
I found the solution, this config does not validate the server certificate:
In jetty.xml:
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="keyStore"><SystemProperty name="jetty.home"
default="."/>/etc/s_01.jks</Set>
<Set name="keyStorePassword">...</Set>
<Set name="keyManagerPassword">....</Set>
<Set name="trustStore"><SystemProperty name="jetty.home"
default="."/>/etc/t_01.jks</Set>
<Set name="trustStorePassword">...</Set>
<Set name="validateCerts">false</Set>
<Set name="validatePeerCerts">false</Set>
</New>
</Arg>
<Set name="Port"><SystemProperty name="jetty.port.ssl"
default=".."/></Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">2</Set>
<Set name="AcceptQueueSize">100</Set>
</New>
</Arg>
</Call>
2013/11/14, maarten ligtvoet <maartenligtvoet@xxxxxxxxx>:
> Hi jetty-users,
>
> (sorry for the long post)
> I'm using exist-db with jetty as HTTP, HTTPS handler.
> I've added the server certificates to a jks truststore but can't get a
> live connection where my side is SSL-client and the other is
> SSL-server.
>
> Version: jetty-8.1.9.v20130131
>
> The error I receive is:
> <httpclient:response statusCode="500"
> xmlns:httpclient="http://exist-db.org/xquery/httpclient"><httpclient:body
> type="text"
> encoding="URLEncoded">sun.security.validator.ValidatorException%3A+PKIX+path+building+failed%3A+sun.security.provider.certpath.SunCertPathBuilderException%3A+unable+to+find+valid+certification+path+to+requested+target</httpclient:body></httpclient:response>
>
> In my logging:
> ERROR (BaseHTTPClientFunction.java [doRequest]:211) - sun
> .security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath
> .SunCertPathBuilderException: unable to find valid certification path
> to requested target
> ...
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
> at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
> at
> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
> at
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
> at
> java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
> at java.io.FilterOutputStream.flush(FilterOutputStream.java:140)
> at
> org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:506)
> at
> org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
> at
> org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
> at
> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
> at
> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
> at
> org.exist.xquery.modules.httpclient.BaseHTTPClientFunction.doRequest(BaseHTTPClientFunction.java:202)
> at
> org.exist.xquery.modules.httpclient.POSTFunction.eval(POSTFunction.java:191)
> at org.exist.xquery.BasicFunction.eval(BasicFunction.java:70)
> at
> org.exist.xquery.InternalFunctionCall.eval(InternalFunctionCall.java:55)
> at org.exist.xquery.LetExpr.eval(LetExpr.java:142)
> ...
> at java.lang.Thread.run(Thread.java:744)
> Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
> ... 109 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
> at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
> ... 115 more
>
> In my jetty.xml config I have:
> /usr/local/exist/tools/jetty/etc/jetty.xml
> ....
>
> <Call name="addConnector">
> <Arg>
> <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
> <Set name="host"><SystemProperty name="jetty.host"/></Set>
> <Set name="port"><SystemProperty name="jetty.port"
> default="8877"/></Set>
> <Set name="maxIdleTime">300000</Set>
> <Set name="Acceptors">2</Set>
> <Set name="statsOn">false</Set>
> <Set name="confidentialPort"><SystemProperty
> name="jetty.port.ssl" default="8477"/></Set>
> <Set name="lowResourcesConnections">20000</Set>
> <Set name="lowResourcesMaxIdleTime">5000</Set>
> </New>
> </Arg>
> </Call>
>
> <Call name="addConnector">
> <Arg>
> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
> <Set name="Port">8477</Set>
> <Set name="maxIdleTime">30000</Set>
> <Set name="Acceptors">2</Set>
> <Set name="AcceptQueueSize">100</Set>
> <Set name="Keystore"><SystemProperty name="jetty.home"
> default="."/>/etc/s_01.jks</Set>
> <Set name="Password">....</Set>
> <Set name="KeyPassword">.....</Set>
> <Set name="truststore"><SystemProperty name="jetty.home"
> default="."/>/etc/t_01.jks</Set>
> <Set name="trustPassword">....</Set>
> </New>
> </Arg>
> </Call>
>
> 1) Is this the correct place in jetty config to point to my jks
> truststore for outgoing connections? (it seems to me this is more for
> incoming? Since it lists the receiving port?)
> If it is the correct place:
> 2) How can I disable server certificate validation?
> So that my client does not validate the others certificate?
>
> Thanks for any pointers!
> Maarten
>