I have been testing usage of the Redstone library with an embedded Jetty server in my application. I was able to get both client and server side working properly with standard HTTP and now need to take a look at implementing SSL encryption. I was able to switch the server over to SSL with a generated cert and even connect to the server with an cerl examination tool to prove the server-side is working properly.
However, I see no documentation or obvious API for SSL on the client side. I tried using straight XmlRpcClient with an "https:" prefix and received the following stack trace:
redstone.xmlrpc.XmlRpcException: A network error occurred.
at redstone.xmlrpc.XmlRpcClient.endCall(Unknown Source)
at redstone.xmlrpc.XmlRpcClient.invoke(Unknown Source)
at com.dsci.spidre.inlines.TestRpcClient.main(TestRpcClient.java:35)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1074)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
... 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
... 14 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
... 20 more
On the server side, the client error also causes an associated error:
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
Is Redstone's Client API capable of connecting to a server via SSL?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2010-07-30
Nevermind, I was able to determine that this was caused by the server certificate not being placed into the keystore on the client side. Doing so resolved the issue.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have been testing usage of the Redstone library with an embedded Jetty server in my application. I was able to get both client and server side working properly with standard HTTP and now need to take a look at implementing SSL encryption. I was able to switch the server over to SSL with a generated cert and even connect to the server with an cerl examination tool to prove the server-side is working properly.
However, I see no documentation or obvious API for SSL on the client side. I tried using straight XmlRpcClient with an "https:" prefix and received the following stack trace:
redstone.xmlrpc.XmlRpcException: A network error occurred. at redstone.xmlrpc.XmlRpcClient.endCall(Unknown Source) at redstone.xmlrpc.XmlRpcClient.invoke(Unknown Source) at com.dsci.spidre.inlines.TestRpcClient.main(TestRpcClient.java:35) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1074) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230) ... 3 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200) at sun.security.validator.Validator.validate(Validator.java:218) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053) ... 14 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289) ... 20 moreOn the server side, the client error also causes an associated error:
Is Redstone's Client API capable of connecting to a server via SSL?
Nevermind, I was able to determine that this was caused by the server certificate not being placed into the keystore on the client side. Doing so resolved the issue.