Hi jetty-users, (sorry for the long post) I'm using exist-db with jetty as HTTP, HTTPS handler. I've added the server certificates to a jks truststore but can't get a live connection where my side is SSL-client and the other is SSL-server.
Version: jetty-8.1.9.v20130131 The error I receive is: <httpclient:response statusCode="500" xmlns:httpclient="http://exist-db.org/xquery/httpclient";><httpclient:body type="text" encoding="URLEncoded">sun.security.validator.ValidatorException%3A+PKIX+path+building+failed%3A+sun.security.provider.certpath.SunCertPathBuilderException%3A+unable+to+find+valid+certification+path+to+requested+target</httpclient:body></httpclient:response> In my logging: ERROR (BaseHTTPClientFunction.java [doRequest]:211) - sun .security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath .SunCertPathBuilderException: unable to find valid certification path to requested target ... at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at java.io.FilterOutputStream.flush(FilterOutputStream.java:140) at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:506) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) at org.exist.xquery.modules.httpclient.BaseHTTPClientFunction.doRequest(BaseHTTPClientFunction.java:202) at org.exist.xquery.modules.httpclient.POSTFunction.eval(POSTFunction.java:191) at org.exist.xquery.BasicFunction.eval(BasicFunction.java:70) at org.exist.xquery.InternalFunctionCall.eval(InternalFunctionCall.java:55) at org.exist.xquery.LetExpr.eval(LetExpr.java:142) ... at java.lang.Thread.run(Thread.java:744) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) ... 109 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ... 115 more In my jetty.xml config I have: /usr/local/exist/tools/jetty/etc/jetty.xml .... <Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> <Set name="host"><SystemProperty name="jetty.host"/></Set> <Set name="port"><SystemProperty name="jetty.port" default="8877"/></Set> <Set name="maxIdleTime">300000</Set> <Set name="Acceptors">2</Set> <Set name="statsOn">false</Set> <Set name="confidentialPort"><SystemProperty name="jetty.port.ssl" default="8477"/></Set> <Set name="lowResourcesConnections">20000</Set> <Set name="lowResourcesMaxIdleTime">5000</Set> </New> </Arg> </Call> <Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> <Set name="Port">8477</Set> <Set name="maxIdleTime">30000</Set> <Set name="Acceptors">2</Set> <Set name="AcceptQueueSize">100</Set> <Set name="Keystore"><SystemProperty name="jetty.home" default="."/>/etc/s_01.jks</Set> <Set name="Password">....</Set> <Set name="KeyPassword">.....</Set> <Set name="truststore"><SystemProperty name="jetty.home" default="."/>/etc/t_01.jks</Set> <Set name="trustPassword">....</Set> </New> </Arg> </Call> 1) Is this the correct place in jetty config to point to my jks truststore for outgoing connections? (it seems to me this is more for incoming? Since it lists the receiving port?) If it is the correct place: 2) How can I disable server certificate validation? So that my client does not validate the others certificate? Thanks for any pointers! Maarten _______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
