Hello, When I run a client program I wrote under Java 6 using Apache HTTP client 4.2 and connect to one of our servers with a startssl certificate, it works, but when I run the same program, connecting to the same server using Java 7 on the client, it fails. The server works fine in all web browsers I tried. I have tested using Windows 7 and Mac OS X 10.8. My JDK versions are 1.6.0_37 and 1.7.0_09.
The error being returned is javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated I'm a bit surprised that the older JDK (6) succeeds and that it's the more "recent" JDK (7) that triggers failure. I had initially suspected that it was linked to: https://issues.apache.org/jira/browse/HTTPCLIENT-1119 ...but by debugging the JDK SSL engine (see below), I'm wondering if JDK 7 doesn't have the same root certificates as JDK 6... I have captured the SSL output using -Djavax.net.debug=all and can provide full logs. The appropriate sections (I've cut out some sections in ellipsis, and only included the difference for JDK 6 output ; the difference is at the end of the certificate chain) seem to be: [ --- JDK 7 output --- ] *** Certificate chain chain [0] = [ [ Version: V3 Subject: [email protected], CN=pi.reflexe.fr, C=FR, OID.2.5.4.13=dY5B6zfZU7iFXNvt Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 (...) [9]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: pi.reflexe.fr DNSName: reflexe.fr ] (...) chain [1] = [ [ Version: V3 Subject: CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 chain [2] = [ [ Version: V3 Subject: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 (...) *** %% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA] qtp1728816301-45, SEND TLSv1 ALERT: fatal, description = certificate_unknown qtp1728816301-45, WRITE: TLSv1 Alert, length = 2 [Raw write]: length = 7 0000: 15 03 01 00 02 02 2E ....... qtp1728816301-45, called closeSocket() qtp1728816301-45, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target qtp1728816301-45, IOException in getSession(): javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [ --- JDK6 output => differs only at end --- ] *** Found trusted certificate: [ [ Version: V3 Subject: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Thanks, Christopher
