You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Oleg Kalnichevski (JIRA)" <ji...@apache.org> on 2012/11/17 17:44:13 UTC
[jira] [Comment Edited] (HTTPCLIENT-1262) Weird SSL issue (peer not
authenticated) [www.popcornopolis.com]
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13499457#comment-13499457 ]
Oleg Kalnichevski edited comment on HTTPCLIENT-1262 at 11/17/12 4:43 PM:
-------------------------------------------------------------------------
What does this all tell you?
The certificate presented by the target site is clearly not trusted, as it is not present on the list of trusted CAs. If developers of curl or Ning http client think it is a good idea to trust certificates like that by default it is their problem
---
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=--
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 130239717645625039446867810265815675924598680366480291538572828355817948069212793748514833469893116011718880147177173794012266279892499833991844993361925891994365964380211747649162835760408844922777394424037787481478926521393063444048231969253187639595947459432351132031539503977746849948171699101810298296153
public exponent: 65537
Validity: [From: Mon Oct 15 22:46:23 CEST 2012,
To: Tue Oct 15 22:46:23 CEST 2013]
Issuer: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=--
SerialNumber: [ 59ce]
---
Having said that one can easily configure HttpClient to accept such certificates if really necessary.
Oleg
---
SSLSocketFactory sslsf = new SSLSocketFactory(
new TrustSelfSignedStrategy(), new AllowAllHostnameVerifier());
Scheme https = new Scheme("https", 443, sslsf);
DefaultHttpClient httpclient = new DefaultHttpClient();
httpclient.getConnectionManager().getSchemeRegistry().register(https);
HttpGet httpget = new HttpGet("https://www.popcornopolis.com/");
HttpResponse response = httpclient.execute(httpget);
try {
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
} finally {
EntityUtils.consume(response.getEntity());
}
---
[DEBUG] BasicClientConnectionManager - Get connection for route {s}->https://www.popcornopolis.com
[DEBUG] DefaultClientConnectionOperator - Connecting to www.popcornopolis.com:443
[DEBUG] RequestAddCookies - CookieSpec selected: best-match
[DEBUG] RequestAuthCache - Auth cache not set in the context
[DEBUG] RequestTargetAuthentication - Target auth state: UNCHALLENGED
[DEBUG] RequestProxyAuthentication - Proxy auth state: UNCHALLENGED
[DEBUG] DefaultHttpClient - Attempt 1 to execute request
[DEBUG] DefaultClientConnection - Sending request: GET / HTTP/1.1
[DEBUG] headers - >> GET / HTTP/1.1
[DEBUG] headers - >> Host: www.popcornopolis.com
[DEBUG] headers - >> Connection: Keep-Alive
[DEBUG] headers - >> User-Agent: Apache-HttpClient/4.2.2 (java 1.5)
[DEBUG] DefaultClientConnection - Receiving response: HTTP/1.1 200 OK
[DEBUG] headers - << HTTP/1.1 200 OK
[DEBUG] headers - << Date: Sat, 17 Nov 2012 16:40:46 GMT
[DEBUG] headers - << Server: Apache
[DEBUG] headers - << X-Powered-By: PHP/5.3.14 ZendServer/5.0
[DEBUG] headers - << Set-Cookie: frontend=6u7ajad46vmf1531gb2d6m3lg0; expires=Sat, 24-Nov-2012 16:40:48 GMT; path=/; domain=www.popcornopolis.com; HttpOnly
[DEBUG] headers - << Expires: Thu, 19 Nov 1981 08:52:00 GMT
[DEBUG] headers - << Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
[DEBUG] headers - << Pragma: no-cache
[DEBUG] headers - << Vary: Accept-Encoding,User-Agent
[DEBUG] headers - << Keep-Alive: timeout=15, max=100
[DEBUG] headers - << Connection: Keep-Alive
[DEBUG] headers - << Transfer-Encoding: chunked
[DEBUG] headers - << Content-Type: text/html; charset=UTF-8
[DEBUG] ResponseProcessCookies - Cookie accepted: "[version: 0][name: frontend][value: 6u7ajad46vmf1531gb2d6m3lg0][domain: www.popcornopolis.com][path: /][expiry: Sat Nov 24 17:40:48 CET 2012]".
[DEBUG] DefaultHttpClient - Connection can be kept alive for 15000 MILLISECONDS
----------------------------------------
HTTP/1.1 200 OK
[DEBUG] BasicClientConnectionManager - Releasing connection org.apache.http.impl.conn.ManagedClientConnectionImpl@4104c575
[DEBUG] BasicClientConnectionManager - Connection can be kept alive for 15000 MILLISECONDS
---
was (Author: olegk):
What does this all tell you?
The certificate presented by the target site is clearly not trusted, as it is not present on the list of trusted CAs. If developers of curl or Ning http client trunk it is a good idea to trust certificates like that by default it is their problem
---
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=--
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 130239717645625039446867810265815675924598680366480291538572828355817948069212793748514833469893116011718880147177173794012266279892499833991844993361925891994365964380211747649162835760408844922777394424037787481478926521393063444048231969253187639595947459432351132031539503977746849948171699101810298296153
public exponent: 65537
Validity: [From: Mon Oct 15 22:46:23 CEST 2012,
To: Tue Oct 15 22:46:23 CEST 2013]
Issuer: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=--
SerialNumber: [ 59ce]
---
Having said that one can easily configure HttpClient to accept such certificates if really necessary.
Oleg
---
SSLSocketFactory sslsf = new SSLSocketFactory(
new TrustSelfSignedStrategy(), new AllowAllHostnameVerifier());
Scheme https = new Scheme("https", 443, sslsf);
DefaultHttpClient httpclient = new DefaultHttpClient();
httpclient.getConnectionManager().getSchemeRegistry().register(https);
HttpGet httpget = new HttpGet("https://www.popcornopolis.com/");
HttpResponse response = httpclient.execute(httpget);
try {
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
} finally {
EntityUtils.consume(response.getEntity());
}
---
[DEBUG] BasicClientConnectionManager - Get connection for route {s}->https://www.popcornopolis.com
[DEBUG] DefaultClientConnectionOperator - Connecting to www.popcornopolis.com:443
[DEBUG] RequestAddCookies - CookieSpec selected: best-match
[DEBUG] RequestAuthCache - Auth cache not set in the context
[DEBUG] RequestTargetAuthentication - Target auth state: UNCHALLENGED
[DEBUG] RequestProxyAuthentication - Proxy auth state: UNCHALLENGED
[DEBUG] DefaultHttpClient - Attempt 1 to execute request
[DEBUG] DefaultClientConnection - Sending request: GET / HTTP/1.1
[DEBUG] headers - >> GET / HTTP/1.1
[DEBUG] headers - >> Host: www.popcornopolis.com
[DEBUG] headers - >> Connection: Keep-Alive
[DEBUG] headers - >> User-Agent: Apache-HttpClient/4.2.2 (java 1.5)
[DEBUG] DefaultClientConnection - Receiving response: HTTP/1.1 200 OK
[DEBUG] headers - << HTTP/1.1 200 OK
[DEBUG] headers - << Date: Sat, 17 Nov 2012 16:40:46 GMT
[DEBUG] headers - << Server: Apache
[DEBUG] headers - << X-Powered-By: PHP/5.3.14 ZendServer/5.0
[DEBUG] headers - << Set-Cookie: frontend=6u7ajad46vmf1531gb2d6m3lg0; expires=Sat, 24-Nov-2012 16:40:48 GMT; path=/; domain=www.popcornopolis.com; HttpOnly
[DEBUG] headers - << Expires: Thu, 19 Nov 1981 08:52:00 GMT
[DEBUG] headers - << Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
[DEBUG] headers - << Pragma: no-cache
[DEBUG] headers - << Vary: Accept-Encoding,User-Agent
[DEBUG] headers - << Keep-Alive: timeout=15, max=100
[DEBUG] headers - << Connection: Keep-Alive
[DEBUG] headers - << Transfer-Encoding: chunked
[DEBUG] headers - << Content-Type: text/html; charset=UTF-8
[DEBUG] ResponseProcessCookies - Cookie accepted: "[version: 0][name: frontend][value: 6u7ajad46vmf1531gb2d6m3lg0][domain: www.popcornopolis.com][path: /][expiry: Sat Nov 24 17:40:48 CET 2012]".
[DEBUG] DefaultHttpClient - Connection can be kept alive for 15000 MILLISECONDS
----------------------------------------
HTTP/1.1 200 OK
[DEBUG] BasicClientConnectionManager - Releasing connection org.apache.http.impl.conn.ManagedClientConnectionImpl@4104c575
[DEBUG] BasicClientConnectionManager - Connection can be kept alive for 15000 MILLISECONDS
---
> Weird SSL issue (peer not authenticated) [www.popcornopolis.com]
> ----------------------------------------------------------------
>
> Key: HTTPCLIENT-1262
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1262
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpAuth, HttpClient
> Affects Versions: 4.2.2
> Environment: JDK 1.6, Mac OS X 10.{6,8}, Ubuntu
> Reporter: Cédric Chantepie
> Priority: Trivial
> Labels: pki, ssl
>
> Try to request some HTTPS websites, we get 'PKIX path building failed' error.
> Seems it's about intermediate/chain certificate.
> Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1764)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:958)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
> at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
> at org.jirafe.shaded.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
> at org.jirafe.shaded.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
> at org.jirafe.shaded.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
> at org.jirafe.shaded.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
> at org.jirafe.shaded.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
> at org.jirafe.shaded.httpclient.HttpClient.executeMethod(HttpClient.java:397)
> at org.jirafe.shaded.httpclient.HttpClient.executeMethod(HttpClient.java:323)
> at Test.main(Test.java:22)
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
> at sun.security.validator.Validator.validate(Validator.java:218)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
> ... 17 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
> ... 23 more
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org