1 2 Previous Next 21 Replies Latest reply: Feb 8, 2013 1:45 AM by PhHein Go to original post RSS
      • 15. Re: PKIX path validation failed | subject/issuer name chaining check failed
        843811
        I haven't heard any client developers claim that the problem isn't on the server side. Moreover, I have no doubt that all client developers who have experienced this issue would love for the sites to fix the issue so clients wouldn't have to deal with it. But the fact is that some sites aren't fixing it, even when notified. Apparently, the major browsers have recognized this unfortunately reality and have no problem loading and rendering the pages even if it is "radically insecure" to do so.
        • 16. Re: PKIX path validation failed | subject/issuer name chaining check failed
          843811
          rcauvin wrote:
          I haven't heard any client developers claim that the problem isn't on the server side. Moreover, I have no doubt that all client developers who have experienced this issue would love for the sites to fix the issue so clients wouldn't have to deal with it. But the fact is that some sites aren't fixing it, even when notified. Apparently, the major browsers have recognized this unfortunately reality and have no problem loading and rendering the pages even if it is "radically insecure" to do so.
          I doubt it. The major modern browsers are quite picky and will at least throw warnings at you that you have to click through. The Firefox version I use, 3.6, makes it quite painful and hard to get to a page with an invalid certificate.

          So I would challenge you: prove it: show me a webserver that has a invalid certificate that Firefox will render without complaint.
          • 17. Re: PKIX path validation failed | subject/issuer name chaining check failed
            843811
            Show me a webserver that has an invalid certificate that Firefox will render without complaint.
            Sure, here is a URL that Firefox and IE load and render just fine (with no warning dialogs or error messages):

            https://www1.virginmobileusa.com/myaccount/newNotloggedinPinTopup.do?phoneNumber=1234567890&pin=999

            But doing a GET request from Java results in the aforementioned exception(s):
            javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
            PKIX path validation failed: java.security.cert.CertPathValidatorException: Path
             does not chain with any of the trust anchors
                    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
                    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
                    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
                    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
            • 18. Re: PKIX path validation failed | subject/issuer name chaining check failed
              EJP
              I don't see the relevance. That's a different exception from the one that started this thread.
              • 19. Re: PKIX path validation failed | subject/issuer name chaining check failed
                843811
                That's a different exception from the one that started this thread.
                Actually, the types of the exceptions in the chain are identical. It's just the description text of the inner exception that differs.

                Please don't dismiss this example as irrelevant when exactly the same issues apply to it as to the previous examples in this discussion. Remember, we are talking about whether it is an acceptable strategy in some cases, given the realities of how browsers work and the difficulty of getting site administrators to update their certificates, to ignore the SSL security exceptions in order to successfully load the page. The example I provided exercises this precise issue.
                • 20. Re: PKIX path validation failed | subject/issuer name chaining check failed
                  989927
                  Just follow the following steps:

                  1. Create a new keystore.
                  2. Create a CSR witht his new keystore.
                  3. Submit this CSR to your CA and obtain new code signing certificate.
                  4. Import the newly received code signing certificates to the keysotre created.
                  5. Sign the JAR again with this keystore.

                  Now your applet should load correctly.

                  The problem is that your current keystore is old and doesn't have the information of JAVA 7.
                  • 21. Re: PKIX path validation failed | subject/issuer name chaining check failed
                    PhHein
                    Thanks, but please don't revive years old threads.

                    Moderator action: I'm locking this thread.
                    1 2 Previous Next