Your message dated Sat, 09 Oct 2010 14:33:52 +0000
with message-id <[email protected]>
and subject line Bug#597967: fixed in jxplorer 3.2.1+dfsg-4
has caused the Debian Bug report #597967,
regarding Ignores installed CA; refuses to make SSL connection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
597967: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597967
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: jxplorer
Version: 3.2.1+dfsg-3
Severity: important
It appears that its impossible to use a private CA with jxplorer. I
installed the CA certificate as
/usr/local/share/ca-certificates/MetricsCA.crt. I ran
update-ca-certificates, which added it to the java keystore
/etc/ssl/certs/java/cacerts.
It is definitely present in the keystore:
# keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass changeit |
grep metrics
metricsca_pem, Sep 16, 2010, trustedCertEntry,
And yet, when I try and connect to our LDAP server:
Error opening connection:
java.security.cert.CertificateException: Invalid Server Certificate: server
certificate could not be verified, and the CA certificate is missing from the
certificate chain. raw error: sun.security.validator.ValidatorException: PKIX
path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
and, on the console:
Sep 24, 2010 11:43:35 AM com.ca.directory.jxplorer.broker.JNDIBroker
openConnection
WARNING: initial receipt of exception by jndi broker
java.security.cert.CertificateException: Invalid Server Certificate: server
certificate could not be verified, and the CA certificate is missing from the
certificate chain. raw error: sun.security.validator.ValidatorException: PKIX
path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
javax.naming.CommunicationException:
java.security.cert.CertificateException: Invalid Server Certificate: server
certificate could not be verified, and the CA certificate is missing from the
certificate chain. raw error: sun.security.validator.ValidatorException: PKIX
path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target [Root exception is
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
Invalid Server Certificate: server certificate could not be verified, and the
CA certificate is missing from the certificate chain. raw error:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]; remaining name ''
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1992)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1837)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:265)
at com.ca.commons.jndi.JNDIOps.exists(JNDIOps.java:633)
at
com.ca.directory.jxplorer.broker.JNDIBroker.openConnection(JNDIBroker.java:409)
at
com.ca.directory.jxplorer.broker.JNDIBroker.processRequest(JNDIBroker.java:360)
at
com.ca.directory.jxplorer.broker.Broker.processQueue(Broker.java:158)
at
com.ca.directory.jxplorer.broker.JNDIBroker.processQueue(JNDIBroker.java:829)
at com.ca.directory.jxplorer.broker.Broker.run(Broker.java:124)
at java.lang.Thread.run(Thread.java:636)
Caused by: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Invalid Server Certificate: server
certificate could not be verified, and the CA certificate is missing from the
certificate chain. raw error: sun.security.validator.ValidatorException: PKIX
path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1639)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:215)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:209)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1033)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:146)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:546)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:482)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:904)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1140)
at
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:764)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:94)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:275)
at java.io.BufferedInputStream.read(BufferedInputStream.java:334)
at com.sun.jndi.ldap.Connection.run(Connection.java:820)
... 1 more
Caused by: java.security.cert.CertificateException: Invalid Server
Certificate: server certificate could not be verified, and the CA certificate
is missing from the certificate chain. raw error:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at
com.ca.commons.security.JXTrustManager.checkServerTrusted(JXTrustManager.java:141)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1025)
... 12 more
I've tried adding it to my user keystore as well. Doesn't help.
openssl's s_client confirms that the server works, and that the CA does
indeed verify the server.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.35-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages jxplorer depends on:
ii default-jre [java6-runti 1:1.6-40 Standard Java or Java compatible R
ii java-wrappers 0.1.16 wrappers for java executables
ii javahelp2 2.0.05.ds1-4 Java based help system
ii junit 3.8.2-4 Automated testing framework for Ja
ii openjdk-6-jre [java6-run 6b18-1.8.1-1+b1 OpenJDK Java runtime, using Hotspo
jxplorer recommends no packages.
jxplorer suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: jxplorer
Source-Version: 3.2.1+dfsg-4
We believe that the bug you reported is fixed in the latest version of
jxplorer, which is due to be installed in the Debian FTP archive:
jxplorer_3.2.1+dfsg-4.debian.tar.gz
to main/j/jxplorer/jxplorer_3.2.1+dfsg-4.debian.tar.gz
jxplorer_3.2.1+dfsg-4.dsc
to main/j/jxplorer/jxplorer_3.2.1+dfsg-4.dsc
jxplorer_3.2.1+dfsg-4_all.deb
to main/j/jxplorer/jxplorer_3.2.1+dfsg-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gabriele Giacone <[email protected]> (supplier of updated jxplorer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 09 Oct 2010 15:37:05 +0200
Source: jxplorer
Binary: jxplorer
Architecture: source all
Version: 3.2.1+dfsg-4
Distribution: unstable
Urgency: low
Maintainer: Gabriele Giacone <[email protected]>
Changed-By: Gabriele Giacone <[email protected]>
Description:
jxplorer - Java LDAP Browser
Closes: 597967 599557
Changes:
jxplorer (3.2.1+dfsg-4) unstable; urgency=low
.
* Trusted CAs/servers keystore defaults to /etc/ssl/certs/java/cacerts
(Closes: 597967).
+ Updated patch 02jkslocation.
+ Removed /usr/share/jxplorer/security.
* Added patch 05utflang that fixes french translation (Closes: #599557).
* d/copyright: fixed spacing.
Checksums-Sha1:
371abda5b482883731c1ade450278f40f92bbd25 1167 jxplorer_3.2.1+dfsg-4.dsc
c7fd7cd31d82ae3607cfa0dd3e3e2b189542972f 26105
jxplorer_3.2.1+dfsg-4.debian.tar.gz
2801feacdf72269763caa6180c60b324cf5d9f66 1331526 jxplorer_3.2.1+dfsg-4_all.deb
Checksums-Sha256:
d5fc4c68d88bacec2ec614b9614a54d4e57cc67e1798350299342eb98e7fbe42 1167
jxplorer_3.2.1+dfsg-4.dsc
c825acc2a33375dca05fc336a8461cd8da78790d9e0b3ffee8c907548d8af363 26105
jxplorer_3.2.1+dfsg-4.debian.tar.gz
6a2810fb20ef26ee55887e41742a3210a2aae6ec57a7d20f23090566dd4ce743 1331526
jxplorer_3.2.1+dfsg-4_all.deb
Files:
d002564feed37481a5131e65b2fe6305 1167 admin optional jxplorer_3.2.1+dfsg-4.dsc
3745d278610a62e04062766acbfc8f65 26105 admin optional
jxplorer_3.2.1+dfsg-4.debian.tar.gz
6e3ccaee955e65b36d06ab35eee89588 1331526 admin optional
jxplorer_3.2.1+dfsg-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkywcg0ACgkQp3cdCbVcnCtDswCggGTvo+kkyNRjzcYDcvDsCFd9
SzkAoO6IllNnSbBShC69zzGt8hA+8qEx
=s3ms
-----END PGP SIGNATURE-----
--- End Message ---
