On Tue, 2009-10-20 at 15:59 -0700, George Niculae wrote:
> Hello,
>
> I am working on XX-6247 (support uploading phonebook from gmail
> address book) and I am facing the following problem: I've created a
> client that connects to the gmail account and retrieves address book
> contacts (using GData API). Everything works fine while running it
> outside sipxconfig, however, when I am trying the same code within
> sipxconfig (https) it fails with SSLHandshakeException:
>
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target"
>
> I am thinking that this is due to invalid SSL certificate in my
> sipxconfig but I don't know exactly how to work around this problem -
> do I have to generate certificate and then have it signed by an
> authorized CA? I have tried to generate valid SSL certificates using
> gen-ssl-keys.sh
> and install them using install-cert.sh, but it didn't solve the
> problem.
>
> Any suggestion is highly appreciated,
The first thing to figure out is: which certificate is the problem?
This is not as obvious as it might seem.
The 'validity' of a certificate depends on a few things:
* is it constructed in a syntactically correct way, using the
right magic values in the right places? The certs our
generation script does this right, as do all the commercial CAs
I've encountered, so this is unlikely to be your problem.
* are the dates valid - certs have a start and stop time, and
outside those times they are no good (the times are in UT, so
timezones don't matter). Unless you were careless with your
system time, this is not likely to be your problem.
* is the signature valid? the signature is a hash value encrypted
with the private key of the signer - if you rehash the inputs
(all contents of the cert) and decode the signature using the
signers public key and get the same value, then the signature is
valid.
* do you have the public key of the signer (the CA)? you
can't perform the check above unless you have the public
key of the CA. The openssl software comes with a bunch
of built-in certificates, but they are by no means all
the CAs in the world, and if you're missing the one that
signed the cert you're trying to validate, then you're
just out of luck.
* The CA certificate is itself a certificate that must be
signed by something, and to validate any cert, you have
to check the whole chain back to something that is just
a priori trusted (that's what that bundle that comes
with openssl is really about). Those 'root' CA
certificates are self-signed (just like the one we
generate for our own internal certificate authority).
You can use the generate-ssl-keys --show-cert option to dump a
certificate in readable form, which will help you decode who/what signed
it.
Then there's the additional problem that java has it's own idiosyncratic
way of storing certificates and keys and all that has to be sychronized
with everything else to be useful...
_______________________________________________
sipx-dev mailing list [email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
sipXecs IP PBX -- http://www.sipfoundry.org/
