Javax.net.ssl.SSLHandshakeException

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Javax.net.ssl.SSLHandshakeException

shenrj
I was customizing BrokerPlugin, but there was an error when I was using org.apache.commons.httpclient.HttpClient to access the HTTPS site:

= = = = =

Javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

= = = = =

Can someone help me
Reply | Threaded
Open this post in threaded view
|

Re: Javax.net.ssl.SSLHandshakeException

Tim Bain
That error always means that the truststore your client is using doesn't
have a certificate that can authenticate the certificate the remote server
is presenting.

Here are some things that could cause that to happen:
1. An appropriate cert isn't in the truststore.
2. A cert that would be valid is in the truststore, but there's something
wrong with it (it's expired, revoked, doesn't list the hostname or IP in
the subjectAlternateNames, etc.). I'm not sure that this wouldn't give a
more specific exception, but it's worth checking.
3. Your truststore has a valid cert, but your client isn't actually using
it (even if you think it is).
4. Your server's cert isn't what you think it is (or the server isn't using
it), so your truststore doesn't actually validate it.

I'd suggest that you first confirm that your truststore really does
validate your server cert using some other method. There may be tools out
there that do exactly that for you, and I suggest you Google to try to find
one, but if not you could always put an image in a web or app server that's
configured to use your server cert and then write a simple piece of code to
download the image using the truststore. That would check #1 and #2.

Then to check #4, use a browser to hit your HTTPS endpoint and inspect the
cert the server presents to make sure it's the one you expect.

If none of those reveal anything wrong, #3 is your problem, in which case
you need to confirm that you're properly passing all necessary arguments to
the JVM. And remember that capitalization matters for JVM arguments.

Tim


On Feb 24, 2017 7:02 AM, "shenrj" <[hidden email]> wrote:

> I was customizing BrokerPlugin, but there was an error when I was using
> org.apache.commons.httpclient.HttpClient to access the HTTPS site:
>
> = = = = =
>
> Javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
>
> = = = = =
>
> Can someone help me
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nab
> ble.com/Javax-net-ssl-SSLHandshakeException-tp4722408.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: Javax.net.ssl.SSLHandshakeException

shenrj
thanks tim,
I have solved this problem by setting System Property in my project:

System.setProperty("javax.net.ssl.trustStore",System.getProperty("java.home")+"/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword","changeit");

but,I don't know how to set Acitvemq JVM arguments.

shenrj



--
View this message in context: http://activemq.2283324.n4.nabble.com/Javax-net-ssl-SSLHandshakeException-tp4722408p4722480.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.