[
https://issues.apache.org/jira/browse/HTTPCLIENT-1262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13499785#comment-13499785
]
Oleg Kalnichevski commented on HTTPCLIENT-1262:
-----------------------------------------------
Hi Sebastian
The trouble is that the server presents a certificate to HttpClient which is
self signed and does not have a formal CA,
---
Version: V3
Subject: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit,
O=SomeOrganization, L=SomeCity, ST=SomeState, C=--
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
...
Validity: [From: Mon Oct 15 22:46:23 CEST 2012,
To: Tue Oct 15 22:46:23 CEST 2013]
Issuer: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit,
O=SomeOrganization, L=SomeCity, ST=SomeState, C=--
...
---
whereas the certificate presented to Firefox is clearly different and has a
proper CA chain. See screenshot attached.
The only theory I can think of is that www.popcornopolis.com is effectively a
clever reverse proxy that can distribute SSL sessions across different hosts
based on some characteristics of the SSL handshake messages. Sessions initiated
by common browsers get directed to the target host whereas those initiated by
what believed to be a crawler get directed to some development host with a self
signed certificate. I can easily be wrong here, though.
Oleg
> Weird SSL issue (peer not authenticated) [www.popcornopolis.com]
> ----------------------------------------------------------------
>
> Key: HTTPCLIENT-1262
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1262
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpAuth, HttpClient
> Affects Versions: 4.2.2
> Environment: JDK 1.6, Mac OS X 10.{6,8}, Ubuntu
> Reporter: Cédric Chantepie
> Priority: Trivial
> Labels: pki, ssl
> Attachments: ssl-ca-chain.png
>
>
> Try to request some HTTPS websites, we get 'PKIX path building failed' error.
> Seems it's about intermediate/chain certificate.
> Exception in thread "main" javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1764)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:958)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
> at
> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
> at
> org.jirafe.shaded.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
> at
> org.jirafe.shaded.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
> at
> org.jirafe.shaded.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
> at
> org.jirafe.shaded.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
> at
> org.jirafe.shaded.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
> at org.jirafe.shaded.httpclient.HttpClient.executeMethod(HttpClient.java:397)
> at org.jirafe.shaded.httpclient.HttpClient.executeMethod(HttpClient.java:323)
> at Test.main(Test.java:22)
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
> at sun.security.validator.Validator.validate(Validator.java:218)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
> ... 17 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
> ... 23 more
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
