Den 15-12-2016 kl. 00:12 skrev Kathleen Wilson:
1) Salesforce (in cloud) is using the default Java root store, which is smaller than Mozilla's root store. This accounts for the "sun.security.validator.ValidatorException: PKIX path building failed:" errors. We're not yet sure how to tell the Java program in the Salesforce cloud to use a different root store, so please point me in the right direction if any of you have dealt with this before.
How have you implemented the fetching? Are you using the Salesforce platform? You can only make callouts to a set of Remote Sites that you have whitelisted. That does not seem fit to your use case. There are ways to hack around this. You can for example add your Salesforce domain to the whitelist, which allows code running within Salesforce to dynamically deploy changes to the whitelist. Is that what you are doing? If that is the case, you cannot change which certificates it trusts, because you cannot reach down into the Java layer. A solution would be to use some kind of proxy outside the Salesforce platform, which can have its own certificate validation logic. A bonus with doing it that way is that you can then avoid having self-modifying code running in your system, and the related potential for security issues.
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
