1 2 Previous Next 21 Replies Latest reply: Feb 8, 2013 1:45 AM by PhHein RSS

    PKIX path validation failed | subject/issuer name chaining check failed

    843811
      I am developing an application that simulates the user's actions on a browser (logs in a site, do some POST's and GET's, etc) and I get the following error:
      Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
      ...
      Caused by: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
      I'm using Apache HTTP client library. Can someone explain to me what is wrong? I can do the same actions via a web browser.
        • 1. Re: PKIX path validation failed | subject/issuer name chaining check failed
          843811
          If someone is interested in the solution, i used a custom X509 certificate handler to solve it...
          • 2. Re: PKIX path validation failed | subject/issuer name chaining check failed
            843811
            Hi,

            Yes, I am very interested in the solution. I would also like to know what the problem diagnosis was.

            Was this issue only occurring on certain sites? Was your solution a workaround to a bug in Java, or are the browsers exhibiting lenient behavior for malformed certificate chains.

            Thank you!
            -Mark
            • 3. Re: PKIX path validation failed | subject/issuer name chaining check failed
              843811
              I am also experiencing the same problem.
              Would anybody have some insight into this ?
              • 4. Re: PKIX path validation failed | subject/issuer name chaining check failed
                843811
                To complete this thread, here is a solution to this problem:

                http://www.trajano.net/2006/07/ssl-bypass-with-httpunit.html
                • 5. Re: PKIX path validation failed | subject/issuer name chaining check failed
                  843811
                  I am very interested in you solution to that problem - could you please post it or maybe send me the solution?
                  • 6. Re: PKIX path validation failed | subject/issuer name chaining check failed
                    EJP
                    To continue this thread, the solution given in reply #4 is radically insecure and should not be used in a production system. You may as well not use SSL at all as use this hack.

                    The basic problem here is that the client's truststore doesn't trust the server certificate supplied. Usually this means that the server certificate isn't signed by a public CA, and fixing that is the best answer. Second-best is exporting the server certificate and importing it into the client truststore, which gives you a truststore distribution problem.

                    In this particular case, there actually seems to be something wrong with the server's certificate - the chain of signers is invalid somehow, as the error message suggests. The answer in this particular case would be to fix the server certificate, or report the problem to the server people and have them fix it if they are separate.
                    • 7. Re: PKIX path validation failed | subject/issuer name chaining check failed
                      843811
                      I actually just want to access a https webpage (https://www.telmore.dk/), and have used the code :

                      package connector;

                      import java.net.URL;
                      import java.io.*;
                      import javax.net.ssl.HttpsURLConnection;

                      public class Test
                      {
                      public static void main(String[] args)
                      throws Exception
                      {
                      String httpsURL = "https://www.telmore.dk/";
                      URL myurl = new URL(httpsURL);
                      HttpsURLConnection con = (HttpsURLConnection)myurl.openConnection();
                           InputStream ins = con.getInputStream();
                           InputStreamReader isr=new InputStreamReader(ins);
                      BufferedReader in =new BufferedReader(isr);
                      String inputLine;

                      while ((inputLine = in.readLine()) != null)
                      System.out.println(inputLine);

                      in.close();
                      }
                      }

                      Which is standard example code found on the web. It works fine connecting to https://www.verisign.com/ :) Telmore.dk is using an equifax certificate, and that is already included by sun in cacerts of the java version 6. Don't know why it work with one and no the other - can anyone help me please?

                      I get:
                      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
                      • 8. Re: PKIX path validation failed | subject/issuer name chaining check failed
                        EJP
                        Don't know why it work with one and no the other
                        I just told you why. I would report the problem to the site and see what they have to say about why their certificate chain is invalid.
                        • 9. Re: PKIX path validation failed | subject/issuer name chaining check failed
                          843811
                          Hi EJP, thank you for taking the time to help me out. I have tried to get in contact with the site, but I am still awaiting their answer. Both firefox and internet explorer have no problem with the certificate, so I think it has to do with the use of a specific keystore, or more specific - the lack of keystore-use. Maybe I haven't set it up properly?! Could also have something to do with running it through Eclipse, eventhough I don't expect this because Eclipse is using my normal JRE (AFAIK).
                          • 10. Re: PKIX path validation failed | subject/issuer name chaining check failed
                            843811
                            Hi mrmartinmm,

                            I have the same issue.

                            javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
                                 at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
                                 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
                                 at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
                                 at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
                                 at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
                                 at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)

                            Do you have a solution for the issue?

                            Thanks!
                            • 11. Re: PKIX path validation failed | subject/issuer name chaining check failed
                              843811
                              My first issue was "sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target".
                              After I put the certificate in jre/lib/security, I got the "subject/issuer name chaining check failed" Exception.
                              • 12. Re: PKIX path validation failed | subject/issuer name chaining check failed
                                800288
                                why does this topic have 12,299 views? What is so interesting?
                                • 13. Re: PKIX path validation failed | subject/issuer name chaining check failed
                                  843811
                                  @ejp,

                                  I'm somewhat of a novice when it comes to these kinds of security issues, but your points about having the site provider fix the server certificate are well taken. A couple of questions:

                                  1. Given that they seem to connect to these pages just fine, what are major browsers doing, and is what they are doing also "radically insecure"?
                                  2. The sites with these unsigned server certificates are requiring clients to connect with HTTPS for their own security reasons, but a client may not have same security concerns or may be passing data that it knows is not sensitive, right?
                                  • 14. Re: PKIX path validation failed | subject/issuer name chaining check failed
                                    EJP
                                    1. Given that they seem to connect to these pages just fine, what are major browsers doing, and is what they are doing also "radically insecure"?
                                    Sorry, no idea. The original problem about the signer/issuer check is clearly a problem with the certificates themselves.
                                    2. The sites with these unsigned server certificates are requiring clients to connect with HTTPS for their own security reasons, but a client may not have same security concerns or may be passing data that it knows is not sensitive, right?
                                    Not sure what you're getting at here. The HTTPS server site can't accomplish its own security objectives, whatever they are, unless the connection is secure, and the connection is only secure if at least one peer is authenticated. If the site doesn't authenticate itself properly, that is clearly its problem, and a security risk. If the client 'co-operates' by ignoring the lack of authentication, that risk becomes a security breach.*
                                    1 2 Previous Next