PKIX path validation failed | subject/issuer name chaining check failed

843811

I am developing an application that simulates the user's actions on a browser (logs in a site, do some POST's and GET's, etc) and I get the following error:

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
...
Caused by: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed

I'm using Apache HTTP client library. Can someone explain to me what is wrong? I can do the same actions via a web browser.

843811

If someone is interested in the solution, i used a custom X509 certificate handler to solve it...

843811

Hi,

Yes, I am very interested in the solution. I would also like to know what the problem diagnosis was.

Was this issue only occurring on certain sites? Was your solution a workaround to a bug in Java, or are the browsers exhibiting lenient behavior for malformed certificate chains.

Thank you!
-Mark

843811

I am also experiencing the same problem.
Would anybody have some insight into this ?

843811

To complete this thread, here is a solution to this problem:

http://www.trajano.net/2006/07/ssl-bypass-with-httpunit.html

843811

I am very interested in you solution to that problem - could you please post it or maybe send me the solution?

EJP

To continue this thread, the solution given in reply #4 is radically insecure and should not be used in a production system. You may as well not use SSL at all as use this hack.

The basic problem here is that the client's truststore doesn't trust the server certificate supplied. Usually this means that the server certificate isn't signed by a public CA, and fixing that is the best answer. Second-best is exporting the server certificate and importing it into the client truststore, which gives you a truststore distribution problem.

In this particular case, there actually seems to be something wrong with the server's certificate - the chain of signers is invalid somehow, as the error message suggests. The answer in this particular case would be to fix the server certificate, or report the problem to the server people and have them fix it if they are separate.

843811

I actually just want to access a https webpage (https://www.telmore.dk/), and have used the code :

package connector;

import java.net.URL;
import java.io.*;
import javax.net.ssl.HttpsURLConnection;

public class Test
{
public static void main(String[] args)
throws Exception
{
String httpsURL = "https://www.telmore.dk/";
URL myurl = new URL(httpsURL);
HttpsURLConnection con = (HttpsURLConnection)myurl.openConnection();
InputStream ins = con.getInputStream();
InputStreamReader isr=new InputStreamReader(ins);
BufferedReader in =new BufferedReader(isr);
String inputLine;

while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);

in.close();
}
}

Which is standard example code found on the web. It works fine connecting to https://www.verisign.com/ Telmore.dk is using an equifax certificate, and that is already included by sun in cacerts of the java version 6. Don't know why it work with one and no the other - can anyone help me please?

I get:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed

EJP

Don't know why it work with one and no the other

I just told you why. I would report the problem to the site and see what they have to say about why their certificate chain is invalid.

843811

Hi EJP, thank you for taking the time to help me out. I have tried to get in contact with the site, but I am still awaiting their answer. Both firefox and internet explorer have no problem with the certificate, so I think it has to do with the use of a specific keystore, or more specific - the lack of keystore-use. Maybe I haven't set it up properly?! Could also have something to do with running it through Eclipse, eventhough I don't expect this because Eclipse is using my normal JRE (AFAIK).

843811

Hi mrmartinmm,

I have the same issue.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)

Do you have a solution for the issue?

Thanks!