-
Bug
-
Resolution: Not an Issue
-
P4
-
None
-
5.0
-
x86
-
windows_xp
FULL PRODUCT VERSION :
java version "1.5.0_12"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_12-b04)
Java HotSpot(TM) Client VM (build 1.5.0_12-b04, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
should appear on every OS as bug is in shared code
A DESCRIPTION OF THE PROBLEM :
I'm trying to connect to a particular web site (which works fine in IE/Firefox) using HTTP over SSL in java.
It took me a while to find where the bug come from but I think I've spotted it in two places :
- the server config is using a *special* server chain (in simple words the first cert in chain is the server's, the last cert is the CA but in the middle there are others useless certs)
- sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145) doBuild is executed only when conditions are not met, but in my case theses conditions are met but the certification chain is not chaining
In fact I'm trying to connect to a french CA dedicated to the medical world. They've added their own root certificates inside their server chain (don't ask me why) which prevent their *chain* to chain naturally
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
@see test case form field
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
a web page
ACTUAL -
@see error message
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:934)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at Test.main(Test.java:50)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:187)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:139)
at sun.security.validator.Validator.validate(Validator.java:203)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
... 12 more
Caused by: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:206)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:182)
... 17 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
public static void main(String[] args) throws Exception{
URL u = new URL("https://editeurs.gip-cps.fr/");
URLConnection conn = u.openConnection();
InputStream is = null;
try{
is = conn.getInputStream();
IOUtils.copy(is, System.out);
}finally{
IOUtils.closeQuietly(is);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
At the moment I don't have a written one, but I think the first action when entering the engineValidate method should be to check if the given chain argument chains naturally
java version "1.5.0_12"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_12-b04)
Java HotSpot(TM) Client VM (build 1.5.0_12-b04, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
should appear on every OS as bug is in shared code
A DESCRIPTION OF THE PROBLEM :
I'm trying to connect to a particular web site (which works fine in IE/Firefox) using HTTP over SSL in java.
It took me a while to find where the bug come from but I think I've spotted it in two places :
- the server config is using a *special* server chain (in simple words the first cert in chain is the server's, the last cert is the CA but in the middle there are others useless certs)
- sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145) doBuild is executed only when conditions are not met, but in my case theses conditions are met but the certification chain is not chaining
In fact I'm trying to connect to a french CA dedicated to the medical world. They've added their own root certificates inside their server chain (don't ask me why) which prevent their *chain* to chain naturally
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
@see test case form field
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
a web page
ACTUAL -
@see error message
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:934)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at Test.main(Test.java:50)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:187)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:139)
at sun.security.validator.Validator.validate(Validator.java:203)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
... 12 more
Caused by: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:206)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:182)
... 17 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
public static void main(String[] args) throws Exception{
URL u = new URL("https://editeurs.gip-cps.fr/");
URLConnection conn = u.openConnection();
InputStream is = null;
try{
is = conn.getInputStream();
IOUtils.copy(is, System.out);
}finally{
IOUtils.closeQuietly(is);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
At the moment I don't have a written one, but I think the first action when entering the engineValidate method should be to check if the given chain argument chains naturally