Forum Stats

  • 3,816,062 Users
  • 2,259,135 Discussions
  • 7,893,378 Comments

Discussions

PKIX path validation failed | subject/issuer name chaining check failed

843811
843811 Member Posts: 49,851
I am developing an application that simulates the user's actions on a browser (logs in a site, do some POST's and GET's, etc) and I get the following error:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
...
Caused by: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
I'm using Apache HTTP client library. Can someone explain to me what is wrong? I can do the same actions via a web browser.
«13

Comments

  • 843811
    843811 Member Posts: 49,851
    If someone is interested in the solution, i used a custom X509 certificate handler to solve it...
  • 843811
    843811 Member Posts: 49,851
    Hi,

    Yes, I am very interested in the solution. I would also like to know what the problem diagnosis was.

    Was this issue only occurring on certain sites? Was your solution a workaround to a bug in Java, or are the browsers exhibiting lenient behavior for malformed certificate chains.

    Thank you!
    -Mark
  • 843811
    843811 Member Posts: 49,851
    I am also experiencing the same problem.
    Would anybody have some insight into this ?
  • 843811
    843811 Member Posts: 49,851
    To complete this thread, here is a solution to this problem:

    http://www.trajano.net/2006/07/ssl-bypass-with-httpunit.html
  • 843811
    843811 Member Posts: 49,851
    I am very interested in you solution to that problem - could you please post it or maybe send me the solution?
  • EJP
    EJP Member Posts: 32,920 Gold Crown
    edited Mar 11, 2008 6:33PM
    To continue this thread, the solution given in reply #4 is radically insecure and should not be used in a production system. You may as well not use SSL at all as use this hack.

    The basic problem here is that the client's truststore doesn't trust the server certificate supplied. Usually this means that the server certificate isn't signed by a public CA, and fixing that is the best answer. Second-best is exporting the server certificate and importing it into the client truststore, which gives you a truststore distribution problem.

    In this particular case, there actually seems to be something wrong with the server's certificate - the chain of signers is invalid somehow, as the error message suggests. The answer in this particular case would be to fix the server certificate, or report the problem to the server people and have them fix it if they are separate.
  • 843811
    843811 Member Posts: 49,851
    I actually just want to access a https webpage (https://www.telmore.dk/), and have used the code :

    package connector;

    import java.net.URL;
    import java.io.*;
    import javax.net.ssl.HttpsURLConnection;

    public class Test
    {
    public static void main(String[] args)
    throws Exception
    {
    String httpsURL = "https://www.telmore.dk/";
    URL myurl = new URL(httpsURL);
    HttpsURLConnection con = (HttpsURLConnection)myurl.openConnection();
    InputStream ins = con.getInputStream();
    InputStreamReader isr=new InputStreamReader(ins);
    BufferedReader in =new BufferedReader(isr);
    String inputLine;

    while ((inputLine = in.readLine()) != null)
    System.out.println(inputLine);

    in.close();
    }
    }

    Which is standard example code found on the web. It works fine connecting to https://www.verisign.com/ :) Telmore.dk is using an equifax certificate, and that is already included by sun in cacerts of the java version 6. Don't know why it work with one and no the other - can anyone help me please?

    I get:
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
  • EJP
    EJP Member Posts: 32,920 Gold Crown
    Don't know why it work with one and no the other
    I just told you why. I would report the problem to the site and see what they have to say about why their certificate chain is invalid.
  • 843811
    843811 Member Posts: 49,851
    Hi EJP, thank you for taking the time to help me out. I have tried to get in contact with the site, but I am still awaiting their answer. Both firefox and internet explorer have no problem with the certificate, so I think it has to do with the use of a specific keystore, or more specific - the lack of keystore-use. Maybe I haven't set it up properly?! Could also have something to do with running it through Eclipse, eventhough I don't expect this because Eclipse is using my normal JRE (AFAIK).
  • 843811
    843811 Member Posts: 49,851
    Hi mrmartinmm,

    I have the same issue.

    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)

    Do you have a solution for the issue?

    Thanks!
This discussion has been closed.