Some extra information: - I also tried with an Oracle JDK 1.6.0_37 under 64-bit Ubuntu 12.04 ; same problems as with Java 7 on other platforms - the JDK 6 where it *did* work is the Apple-provided one
I'm guessing this means that the Apple JDK has more root certificates (or shares browser certificates perhaps) that are not available to Oracle JDKs. Is this the correct conclusion? If so, can anyone point to information about how to identify and export the appropriate root certificate from the Apple JDK into the Oracle JDK? Thanks, Christopher On 8 November 2012 14:15, Christopher BROWN <[email protected]> wrote: > Hello, > > When I run a client program I wrote under Java 6 using Apache HTTP client > 4.2 and connect to one of our servers with a startssl certificate, it > works, but when I run the same program, connecting to the same server using > Java 7 on the client, it fails. The server works fine in all web browsers > I tried. I have tested using Windows 7 and Mac OS X 10.8. My JDK versions > are 1.6.0_37 and 1.7.0_09. > > The error being returned is javax.net.ssl.SSLPeerUnverifiedException: peer > not authenticated > > I'm a bit surprised that the older JDK (6) succeeds and that it's the more > "recent" JDK (7) that triggers failure. I had initially suspected that it > was linked to: > https://issues.apache.org/jira/browse/HTTPCLIENT-1119 > > ...but by debugging the JDK SSL engine (see below), I'm wondering if JDK 7 > doesn't have the same root certificates as JDK 6... > > I have captured the SSL output using -Djavax.net.debug=all and can provide > full logs. The appropriate sections (I've cut out some sections in > ellipsis, and only included the difference for JDK 6 output ; the > difference is at the end of the certificate chain) seem to be: > > [ --- JDK 7 output --- ] > > *** Certificate chain > chain [0] = [ > [ > Version: V3 > Subject: [email protected], CN=pi.reflexe.fr, C=FR, > OID.2.5.4.13=dY5B6zfZU7iFXNvt > Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 > > (...) > > [9]: ObjectId: 2.5.29.17 Criticality=false > SubjectAlternativeName [ > DNSName: pi.reflexe.fr > DNSName: reflexe.fr > ] > > (...) > > chain [1] = [ > [ > Version: V3 > Subject: CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure > Digital Certificate Signing, O=StartCom Ltd., C=IL > Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 > > chain [2] = [ > [ > Version: V3 > Subject: CN=StartCom Certification Authority, OU=Secure Digital > Certificate Signing, O=StartCom Ltd., C=IL > Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 > > (...) > > *** > %% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA] > qtp1728816301-45, SEND TLSv1 ALERT: fatal, description = > certificate_unknown > qtp1728816301-45, WRITE: TLSv1 Alert, length = 2 > [Raw write]: length = 7 > 0000: 15 03 01 00 02 02 2E ....... > qtp1728816301-45, called closeSocket() > qtp1728816301-45, handling exception: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > qtp1728816301-45, IOException in getSession(): > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > [ --- JDK6 output => differs only at end --- ] > > *** > Found trusted certificate: > [ > [ > Version: V3 > Subject: CN=StartCom Certification Authority, OU=Secure Digital > Certificate Signing, O=StartCom Ltd., C=IL > Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 > > Thanks, > Christopher > >
