[
https://issues.apache.org/jira/browse/HTTPCLIENT-1262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13499457#comment-13499457
]
Oleg Kalnichevski edited comment on HTTPCLIENT-1262 at 11/17/12 4:43 PM:
-------------------------------------------------------------------------
What does this all tell you?
The certificate presented by the target site is clearly not trusted, as it is
not present on the list of trusted CAs. If developers of curl or Ning http
client think it is a good idea to trust certificates like that by default it is
their problem
---
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit,
O=SomeOrganization, L=SomeCity, ST=SomeState, C=--
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:
130239717645625039446867810265815675924598680366480291538572828355817948069212793748514833469893116011718880147177173794012266279892499833991844993361925891994365964380211747649162835760408844922777394424037787481478926521393063444048231969253187639595947459432351132031539503977746849948171699101810298296153
public exponent: 65537
Validity: [From: Mon Oct 15 22:46:23 CEST 2012,
To: Tue Oct 15 22:46:23 CEST 2013]
Issuer: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit,
O=SomeOrganization, L=SomeCity, ST=SomeState, C=--
SerialNumber: [ 59ce]
---
Having said that one can easily configure HttpClient to accept such
certificates if really necessary.
Oleg
---
SSLSocketFactory sslsf = new SSLSocketFactory(
new TrustSelfSignedStrategy(), new AllowAllHostnameVerifier());
Scheme https = new Scheme("https", 443, sslsf);
DefaultHttpClient httpclient = new DefaultHttpClient();
httpclient.getConnectionManager().getSchemeRegistry().register(https);
HttpGet httpget = new HttpGet("https://www.popcornopolis.com/";);
HttpResponse response = httpclient.execute(httpget);
try {
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
} finally {
EntityUtils.consume(response.getEntity());
}
---
[DEBUG] BasicClientConnectionManager - Get connection for route
{s}->https://www.popcornopolis.com
[DEBUG] DefaultClientConnectionOperator - Connecting to
www.popcornopolis.com:443
[DEBUG] RequestAddCookies - CookieSpec selected: best-match
[DEBUG] RequestAuthCache - Auth cache not set in the context
[DEBUG] RequestTargetAuthentication - Target auth state: UNCHALLENGED
[DEBUG] RequestProxyAuthentication - Proxy auth state: UNCHALLENGED
[DEBUG] DefaultHttpClient - Attempt 1 to execute request
[DEBUG] DefaultClientConnection - Sending request: GET / HTTP/1.1
[DEBUG] headers - >> GET / HTTP/1.1
[DEBUG] headers - >> Host: www.popcornopolis.com
[DEBUG] headers - >> Connection: Keep-Alive
[DEBUG] headers - >> User-Agent: Apache-HttpClient/4.2.2 (java 1.5)
[DEBUG] DefaultClientConnection - Receiving response: HTTP/1.1 200 OK
[DEBUG] headers - << HTTP/1.1 200 OK
[DEBUG] headers - << Date: Sat, 17 Nov 2012 16:40:46 GMT
[DEBUG] headers - << Server: Apache
[DEBUG] headers - << X-Powered-By: PHP/5.3.14 ZendServer/5.0
[DEBUG] headers - << Set-Cookie: frontend=6u7ajad46vmf1531gb2d6m3lg0;
expires=Sat, 24-Nov-2012 16:40:48 GMT; path=/; domain=www.popcornopolis.com;
HttpOnly
[DEBUG] headers - << Expires: Thu, 19 Nov 1981 08:52:00 GMT
[DEBUG] headers - << Cache-Control: no-store, no-cache, must-revalidate,
post-check=0, pre-check=0
[DEBUG] headers - << Pragma: no-cache
[DEBUG] headers - << Vary: Accept-Encoding,User-Agent
[DEBUG] headers - << Keep-Alive: timeout=15, max=100
[DEBUG] headers - << Connection: Keep-Alive
[DEBUG] headers - << Transfer-Encoding: chunked
[DEBUG] headers - << Content-Type: text/html; charset=UTF-8
[DEBUG] ResponseProcessCookies - Cookie accepted: "[version: 0][name:
frontend][value: 6u7ajad46vmf1531gb2d6m3lg0][domain:
www.popcornopolis.com][path: /][expiry: Sat Nov 24 17:40:48 CET 2012]".
[DEBUG] DefaultHttpClient - Connection can be kept alive for 15000 MILLISECONDS
----------------------------------------
HTTP/1.1 200 OK
[DEBUG] BasicClientConnectionManager - Releasing connection
org.apache.http.impl.conn.ManagedClientConnectionImpl@4104c575
[DEBUG] BasicClientConnectionManager - Connection can be kept alive for 15000
MILLISECONDS
---
was (Author: olegk):
What does this all tell you?
The certificate presented by the target site is clearly not trusted, as it is
not present on the list of trusted CAs. If developers of curl or Ning http
client trunk it is a good idea to trust certificates like that by default it is
their problem
---
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit,
O=SomeOrganization, L=SomeCity, ST=SomeState, C=--
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:
130239717645625039446867810265815675924598680366480291538572828355817948069212793748514833469893116011718880147177173794012266279892499833991844993361925891994365964380211747649162835760408844922777394424037787481478926521393063444048231969253187639595947459432351132031539503977746849948171699101810298296153
public exponent: 65537
Validity: [From: Mon Oct 15 22:46:23 CEST 2012,
To: Tue Oct 15 22:46:23 CEST 2013]
Issuer: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit,
O=SomeOrganization, L=SomeCity, ST=SomeState, C=--
SerialNumber: [ 59ce]
---
Having said that one can easily configure HttpClient to accept such
certificates if really necessary.
Oleg
---
SSLSocketFactory sslsf = new SSLSocketFactory(
new TrustSelfSignedStrategy(), new AllowAllHostnameVerifier());
Scheme https = new Scheme("https", 443, sslsf);
DefaultHttpClient httpclient = new DefaultHttpClient();
httpclient.getConnectionManager().getSchemeRegistry().register(https);
HttpGet httpget = new HttpGet("https://www.popcornopolis.com/";);
HttpResponse response = httpclient.execute(httpget);
try {
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
} finally {
EntityUtils.consume(response.getEntity());
}
---
[DEBUG] BasicClientConnectionManager - Get connection for route
{s}->https://www.popcornopolis.com
[DEBUG] DefaultClientConnectionOperator - Connecting to
www.popcornopolis.com:443
[DEBUG] RequestAddCookies - CookieSpec selected: best-match
[DEBUG] RequestAuthCache - Auth cache not set in the context
[DEBUG] RequestTargetAuthentication - Target auth state: UNCHALLENGED
[DEBUG] RequestProxyAuthentication - Proxy auth state: UNCHALLENGED
[DEBUG] DefaultHttpClient - Attempt 1 to execute request
[DEBUG] DefaultClientConnection - Sending request: GET / HTTP/1.1
[DEBUG] headers - >> GET / HTTP/1.1
[DEBUG] headers - >> Host: www.popcornopolis.com
[DEBUG] headers - >> Connection: Keep-Alive
[DEBUG] headers - >> User-Agent: Apache-HttpClient/4.2.2 (java 1.5)
[DEBUG] DefaultClientConnection - Receiving response: HTTP/1.1 200 OK
[DEBUG] headers - << HTTP/1.1 200 OK
[DEBUG] headers - << Date: Sat, 17 Nov 2012 16:40:46 GMT
[DEBUG] headers - << Server: Apache
[DEBUG] headers - << X-Powered-By: PHP/5.3.14 ZendServer/5.0
[DEBUG] headers - << Set-Cookie: frontend=6u7ajad46vmf1531gb2d6m3lg0;
expires=Sat, 24-Nov-2012 16:40:48 GMT; path=/; domain=www.popcornopolis.com;
HttpOnly
[DEBUG] headers - << Expires: Thu, 19 Nov 1981 08:52:00 GMT
[DEBUG] headers - << Cache-Control: no-store, no-cache, must-revalidate,
post-check=0, pre-check=0
[DEBUG] headers - << Pragma: no-cache
[DEBUG] headers - << Vary: Accept-Encoding,User-Agent
[DEBUG] headers - << Keep-Alive: timeout=15, max=100
[DEBUG] headers - << Connection: Keep-Alive
[DEBUG] headers - << Transfer-Encoding: chunked
[DEBUG] headers - << Content-Type: text/html; charset=UTF-8
[DEBUG] ResponseProcessCookies - Cookie accepted: "[version: 0][name:
frontend][value: 6u7ajad46vmf1531gb2d6m3lg0][domain:
www.popcornopolis.com][path: /][expiry: Sat Nov 24 17:40:48 CET 2012]".
[DEBUG] DefaultHttpClient - Connection can be kept alive for 15000 MILLISECONDS
----------------------------------------
HTTP/1.1 200 OK
[DEBUG] BasicClientConnectionManager - Releasing connection
org.apache.http.impl.conn.ManagedClientConnectionImpl@4104c575
[DEBUG] BasicClientConnectionManager - Connection can be kept alive for 15000
MILLISECONDS
---
> Weird SSL issue (peer not authenticated) [www.popcornopolis.com]
> ----------------------------------------------------------------
>
> Key: HTTPCLIENT-1262
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1262
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpAuth, HttpClient
> Affects Versions: 4.2.2
> Environment: JDK 1.6, Mac OS X 10.{6,8}, Ubuntu
> Reporter: Cédric Chantepie
> Priority: Trivial
> Labels: pki, ssl
>
> Try to request some HTTPS websites, we get 'PKIX path building failed' error.
> Seems it's about intermediate/chain certificate.
> Exception in thread "main" javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1764)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:958)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
> at
> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
> at
> org.jirafe.shaded.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
> at
> org.jirafe.shaded.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
> at
> org.jirafe.shaded.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
> at
> org.jirafe.shaded.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
> at
> org.jirafe.shaded.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
> at org.jirafe.shaded.httpclient.HttpClient.executeMethod(HttpClient.java:397)
> at org.jirafe.shaded.httpclient.HttpClient.executeMethod(HttpClient.java:323)
> at Test.main(Test.java:22)
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
> at sun.security.validator.Validator.validate(Validator.java:218)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
> ... 17 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
> ... 23 more
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
