Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
After 6.2.2, all Java SSL handshakes fail.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2015-03-11
10:28 PM
2015-03-11
10:28 PM
After 6.2.2, all Java SSL handshakes fail.
Hi I have been trying to troubleshoot a problem I have with filebot on our ReadyNas. At first I thought it was a FileBot thing, but it's not. Ever since I upgraded to 6.2.2, all outbound SSL handshakes are failing from Java.
I have installed/uninstalled/reinstalled (alot) java 1.7 jdk using apt-get. I have googled a heap, and the servers I am trying to connect to for testing do not use self signed certs. Even so I have tried to import them manually. I have uninstalled ca-certificates and ca-certificates-java, I have set the $JAVA_HOME, unset it, left it as default (blank) after apt-get. I'm out of ideas.
Whether running basic FileBot command (filebot -script fn:sysinfo) or using a test class HTTPSClient.java, I get the same error, which is
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I am using HTTPSClient to try to connect to docs.google.com, godaddy.com, microsoft.com, facebook.com, etcetera. Mainstream secure sites.
I am not sure what to do from here, any tips?
The HTTPSClient.java is a class I found while googling, it's contents are as follows:
I have installed/uninstalled/reinstalled (alot) java 1.7 jdk using apt-get. I have googled a heap, and the servers I am trying to connect to for testing do not use self signed certs. Even so I have tried to import them manually. I have uninstalled ca-certificates and ca-certificates-java, I have set the $JAVA_HOME, unset it, left it as default (blank) after apt-get. I'm out of ideas.
Whether running basic FileBot command (filebot -script fn:sysinfo) or using a test class HTTPSClient.java, I get the same error, which is
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I am using HTTPSClient to try to connect to docs.google.com, godaddy.com, microsoft.com, facebook.com, etcetera. Mainstream secure sites.
I am not sure what to do from here, any tips?
The HTTPSClient.java is a class I found while googling, it's contents are as follows:
import java.net.*;
import java.io.*;
import java.security.*;
import javax.net.ssl.*;
public class HTTPSClient {
public static void main(String[] args) {
if (args.length == 0) {
System.out.println("Usage: java HTTPSClient host");
return;
}
int port = 443; // default https port
String host = args[0];
try{
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
Writer out = new OutputStreamWriter(socket.getOutputStream());
// https requires the full URL in the GET line
out.write("GET / HTTP/1.0\\r\\\n");
out.write("\\r\\n");
out.flush();
// read response
BufferedReader in = new BufferedReader(
new InputStreamReader(socket.getInputStream()));
int c;
while ((c = in.read()) != -1) {
System.out.write(c);
}
out.close();
in.close();
socket.close();
}catch (IOException e) {
System.err.println(e);
}
}
}
Message 1 of 2
Labels:
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2015-03-31
03:52 PM
2015-03-31
03:52 PM
Re: After 6.2.2, all Java SSL handshakes fail.
Sounds like the same problem I just found. You likely just need to downgrade your ca-certificates package as I did in this post.
http://www.readynas.com/forum/viewtopic.php?f=35&t=78975&p=456647#p456647
I'm not sure if it was something in the overall 6.2.2 upgrade, or the ca-certificate netgear package that removed all the old CA certs. But that would definitely result in any SSL handshakes failing for certs which aren't signed by Verisign or Entrust (the only 2 CAs the netgear package installs).
http://www.readynas.com/forum/viewtopic.php?f=35&t=78975&p=456647#p456647
I'm not sure if it was something in the overall 6.2.2 upgrade, or the ca-certificate netgear package that removed all the old CA certs. But that would definitely result in any SSL handshakes failing for certs which aren't signed by Verisign or Entrust (the only 2 CAs the netgear package installs).
Message 2 of 2