On Sun, 2013-12-29 at 14:48 +0100, Christopher BROWN wrote: > Hello, > > I've dealt with an issue where an application being migrated to HTTP client > has (with the original HttpURLConnection class) thrown this exception: > > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > This was due to a missing entry in the keystore, easy enough for me to fix. > However, when the code in question is migrated to HTTP client 4.3+, is > there any API for detecting that a missing keystore entry was the cause, > and providing user feedback such as "the server is using a SSL certificate > from Gandi, however this authority has no entry in the keystore" (I'd build > the message, but would need to have an API to query the certificate info). > > Thanks, > Christopher BROWN
Hi Christopher Strictly speaking this problem has nothing to do with HttpClient as such. It's just purely JSSE programming. HttpClient 4.3 ships with SSLContextBuilder [1] which is unlikely to have functionality you want out of the box, but you could take this class as a starting point for your own custom version of it. Have a look at TrustManagerDelegate. With a few minor modifications it should be able to generate more descriptive feedback in case of a trust validation failure either in a form of a better exception or a log entry. Hope this helps Oleg [1] http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/xref/org/apache/http/conn/ssl/SSLContextBuilder.html --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
