Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of
Brought to you by:
kleiner77
Menu
▾
▴
Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
|
From: Marcus W. <Ma...@Wo...> - 2010-01-10 19:38:48
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rolf Viehmann schrieb: >> Any idea what could have happened? IŽm sure the old certificate >> wasnŽt in the list of trust-ancors too and that it was >> implemented to simply accept all certificates. The code of the >> application has not changed in half a year. > > If your application hasn't changed, maybe the server was upgraded > or something alike. Maybe it got an "Extended Validation" > certificate instead of a plain one. Of cause they did get a new certificate. Why else would it fail. Extended validation has nothing to do with it. In fact, it is useless for HBCI as the certificate is never presented to the user at all. > > It seems as if the application is doing a real check whether the > server's certificate is valid. So you could provide this list with > the following information: > > -> How you tried to implement the "simply accept all certificates" > part of the application. Maybe this class (classes) is not really > loaded and used, or it contains some sort of mistake. This is the mailing-list of HBCI4Java. Why would I use my own imlementation when "|client.passport.PinTan.checkcert" http://hbci4java.kapott.org/javadoc/org/kapott/hbci/manager/HBCIUtils.html is already provided and documented for exactly that purpose? I reviews my code and found a possibility that the abovementioned setting was not in effect at that time. I´ll try again soon. | > > -> Which host you tried to connect to. If the host has an official > certificate (that would be accepted by all major browsers), it > should not normally be necessary to accept all certificates. I very much doubt that my bank uses anything BUT an official certificate from one of the major commercial CAs. > In this case, you probably only want to add the root certificate of > the certificate authority, That´s exactly what I wanted to avoid for my users are it is a PITA to add a trust-ancor to the default Java keystore. (First issue: it´s password protected and they don´t document the password.) > as well as the immediate certificates that are used in the chain. You do know that the server has to send the itermediate certificates along and usually does so? > Accepting all certificates (including invalid ones) should only be > the last thing you do if everything else fails or if the server is > completely under your control and you don't want to spend any money > on a real certificate (for example, a dev server on a local > network). We are talking about a very large international bank here. Why do you think I would have any control over the server? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAktKLKYACgkQf1hPnk3Z0cSCNwCglvgOFmEYEM4AFQc4hWrpHag9 98MAnAhu2ybuVeC888K8AVjcLYMyI6PO =przn -----END PGP SIGNATURE----- |
