Providing feedback when an SSL certificate is not recognized (due to missing entry in keystore)

[Christopher BROWN <br...@reflexe.fr>]

Hello,

I've dealt with an issue where an application being migrated to HTTP client
has (with the original HttpURLConnection class) thrown this exception:

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
This was due to a missing entry in the keystore, easy enough for me to fix.
 However, when the code in question is migrated to HTTP client 4.3+, is
there any API for detecting that a missing keystore entry was the cause,
and providing user feedback such as "the server is using a SSL certificate
from Gandi, however this authority has no entry in the keystore" (I'd build
the message, but would need to have an API to query the certificate info).

Thanks,
Christopher BROWN

Re: Providing feedback when an SSL certificate is not recognized (due to missing entry in keystore)

[Christopher BROWN <br...@reflexe.fr>]

Thanks Oleg, I'll take it from here, now that I know where to start from.

--
Christopher



On 30 December 2013 11:51, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Sun, 2013-12-29 at 14:48 +0100, Christopher BROWN wrote:
>> Hello,
>>
>> I've dealt with an issue where an application being migrated to HTTP client
>> has (with the original HttpURLConnection class) thrown this exception:
>>
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>> This was due to a missing entry in the keystore, easy enough for me to fix.
>>  However, when the code in question is migrated to HTTP client 4.3+, is
>> there any API for detecting that a missing keystore entry was the cause,
>> and providing user feedback such as "the server is using a SSL certificate
>> from Gandi, however this authority has no entry in the keystore" (I'd build
>> the message, but would need to have an API to query the certificate info).
>>
>> Thanks,
>> Christopher BROWN
>
>
> Hi Christopher
>
> Strictly speaking this problem has nothing to do with HttpClient as
> such. It's just purely JSSE programming.
>
> HttpClient 4.3 ships with SSLContextBuilder [1] which is unlikely to
> have functionality you want out of the box, but you could take this
> class as a starting point for your own custom version of it. Have a look
> at TrustManagerDelegate. With a few minor modifications it should be
> able to generate more descriptive feedback in case of a trust validation
> failure either in a form of a better exception or a log entry.
>
> Hope this helps
>
> Oleg
>
> [1]
> http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/xref/org/apache/http/conn/ssl/SSLContextBuilder.html
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Re: Providing feedback when an SSL certificate is not recognized (due to missing entry in keystore)

[Oleg Kalnichevski <ol...@apache.org>]

On Sun, 2013-12-29 at 14:48 +0100, Christopher BROWN wrote:
> Hello,
> 
> I've dealt with an issue where an application being migrated to HTTP client
> has (with the original HttpURLConnection class) thrown this exception:
> 
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> This was due to a missing entry in the keystore, easy enough for me to fix.
>  However, when the code in question is migrated to HTTP client 4.3+, is
> there any API for detecting that a missing keystore entry was the cause,
> and providing user feedback such as "the server is using a SSL certificate
> from Gandi, however this authority has no entry in the keystore" (I'd build
> the message, but would need to have an API to query the certificate info).
> 
> Thanks,
> Christopher BROWN


Hi Christopher

Strictly speaking this problem has nothing to do with HttpClient as
such. It's just purely JSSE programming.

HttpClient 4.3 ships with SSLContextBuilder [1] which is unlikely to
have functionality you want out of the box, but you could take this
class as a starting point for your own custom version of it. Have a look
at TrustManagerDelegate. With a few minor modifications it should be
able to generate more descriptive feedback in case of a trust validation
failure either in a form of a better exception or a log entry. 

Hope this helps

Oleg

[1]
http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/xref/org/apache/http/conn/ssl/SSLContextBuilder.html


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org