Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] jetty SSL outgoing connections: unable to find valid certification path to requested target 
I found the solution, this config does not validate the server certificate:
In jetty.xml:

<Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <Arg>
          <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
        <Set name="keyStore"><SystemProperty name="jetty.home"
default="."/>/etc/s_01.jks</Set>
        <Set name="keyStorePassword">...</Set>
        <Set name="keyManagerPassword">....</Set>
        <Set name="trustStore"><SystemProperty name="jetty.home"
default="."/>/etc/t_01.jks</Set>
        <Set name="trustStorePassword">...</Set>
<Set name="validateCerts">false</Set>
<Set name="validatePeerCerts">false</Set>
          </New>
        </Arg>
        <Set name="Port"><SystemProperty name="jetty.port.ssl"
default=".."/></Set>
        <Set name="maxIdleTime">30000</Set>
           <Set name="Acceptors">2</Set>
           <Set name="AcceptQueueSize">100</Set>
      </New>
    </Arg>
  </Call>


2013/11/14, maarten ligtvoet <maartenligtvoet@xxxxxxxxx>:
> Hi jetty-users,
>
> (sorry for the long post)
> I'm using exist-db with jetty as HTTP, HTTPS handler.
> I've added the server certificates to a jks truststore but can't get a
> live connection where my side is SSL-client and the other is
> SSL-server.
>
> Version: jetty-8.1.9.v20130131
>
> The error I receive is:
> <httpclient:response statusCode="500"
> xmlns:httpclient="http://exist-db.org/xquery/httpclient";><httpclient:body
> type="text"
> encoding="URLEncoded">sun.security.validator.ValidatorException%3A+PKIX+path+building+failed%3A+sun.security.provider.certpath.SunCertPathBuilderException%3A+unable+to+find+valid+certification+path+to+requested+target</httpclient:body></httpclient:response>
>
> In my logging:
> ERROR (BaseHTTPClientFunction.java [doRequest]:211) - sun
> .security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath
> .SunCertPathBuilderException: unable to find valid certification path
> to requested target
> ...
>         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>         at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
>         at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
>         at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
>         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
>         at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
>         at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
>         at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
>         at
> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
>         at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>         at
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>         at
> java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>         at java.io.FilterOutputStream.flush(FilterOutputStream.java:140)
>         at
> org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:506)
>         at
> org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
>         at
> org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
>         at
> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
>         at
> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
>         at
> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
>         at
> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
>         at
> org.exist.xquery.modules.httpclient.BaseHTTPClientFunction.doRequest(BaseHTTPClientFunction.java:202)
>         at
> org.exist.xquery.modules.httpclient.POSTFunction.eval(POSTFunction.java:191)
>         at org.exist.xquery.BasicFunction.eval(BasicFunction.java:70)
>         at
> org.exist.xquery.InternalFunctionCall.eval(InternalFunctionCall.java:55)
>         at org.exist.xquery.LetExpr.eval(LetExpr.java:142)
> ...
>         at java.lang.Thread.run(Thread.java:744)
> Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>         at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>         at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>         at sun.security.validator.Validator.validate(Validator.java:260)
>         at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
>         at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
>         at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
>         at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
>         ... 109 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>         at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
>         at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>         at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>         ... 115 more
>
> In my jetty.xml config I have:
> /usr/local/exist/tools/jetty/etc/jetty.xml
> ....
>
>   <Call name="addConnector">
>     <Arg>
>       <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
>         <Set name="host"><SystemProperty name="jetty.host"/></Set>
>         <Set name="port"><SystemProperty name="jetty.port"
> default="8877"/></Set>
>         <Set name="maxIdleTime">300000</Set>
>         <Set name="Acceptors">2</Set>
>         <Set name="statsOn">false</Set>
>         <Set name="confidentialPort"><SystemProperty
> name="jetty.port.ssl" default="8477"/></Set>
>         <Set name="lowResourcesConnections">20000</Set>
>         <Set name="lowResourcesMaxIdleTime">5000</Set>
>       </New>
>     </Arg>
>   </Call>
>
> <Call name="addConnector">
>     <Arg>
>       <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
>         <Set name="Port">8477</Set>
>         <Set name="maxIdleTime">30000</Set>
>         <Set name="Acceptors">2</Set>
>         <Set name="AcceptQueueSize">100</Set>
>         <Set name="Keystore"><SystemProperty name="jetty.home"
> default="."/>/etc/s_01.jks</Set>
>         <Set name="Password">....</Set>
>         <Set name="KeyPassword">.....</Set>
>         <Set name="truststore"><SystemProperty name="jetty.home"
> default="."/>/etc/t_01.jks</Set>
>         <Set name="trustPassword">....</Set>
>       </New>
>     </Arg>
>   </Call>
>
> 1) Is this the correct place in jetty config to point to my jks
> truststore for outgoing connections? (it seems to me this is more for
> incoming? Since it lists the receiving port?)
> If it is the correct place:
> 2) How can I disable server certificate validation?
> So that my client does not validate the others certificate?
>
> Thanks for any pointers!
> Maarten
>

Back to the top