Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of
Brought to you by:
kleiner77
Menu
▾
▴
Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
|
From: HBCI4Java (S. Palme) <hbc...@ka...> - 2010-01-11 16:21:12
|
Hi Although you have solved the issue already, here some comments from me: On Sun, 2010-01-10 at 20:50 +0100, Marcus Wolschon wrote: > The bank switched CAs and the CA they chose this time is not in > the default Java-Truststore sun provides. Can you tell me, which java version you are using and which CA certificate is missing in the standard cacert truststore? This may be an important information for other users, too. On Mon, 2010-01-11 at 02:04 +0100, Rolf Viehmann wrote: > http://hbci4java.kapott.org/javadoc/org/kapott/hbci/manager/HBCIUtils.html > > is already provided and documented for exactly that purpose? > > I'm not sure how long the option client.passport.PinTan.checkcert has > been available and documented, it could very well have been that this > option didn't exist in an older version of the library Just FYI: This was one of the very first options that have been implemented, because the test server which I have used in the "old days" did not have an "official" SSL certificate, so I had to disable certification checking to be able to work in HBCI-PIN/TAN at all :-) On Mon, 2010-01-11 at 06:11 +0100, Marcus Wolschon wrote: > > If I understand it correctly, you could use the parameter > > client.passport.PinTan.certfile to specify a file that you ship > > along with your code that will be used by HBCI4Java. This file > > could contain any (root or immediate) certificate that will be > > needed to communicate with the host. > > Do you know any way of doing this at configuration-time inside the > program? Preferably one that works with any version of the hbci-protocol. > (I don´t know much about how hbci and FinTS work on the network-layer.) This stuff is totally independent of HBCI4Java - it's a feature of the Java runtime environment itself (see the Java docs). You can import SSL certificates into an own truststore file (one similar to the provided cacert file) using "keytool". With HBCI4Java's kernel parameter client.passport.PinTan.certfile you can specify the name of such a file, which will then be used by Java's SSL engine in addition the the standard cacert file. > I don´t think it´s an option to ship and update the certificates of > every bank the user could configure with the software. Of course, you are right. But if you work with an "older" Java version, which does not yet include the (maybe very new) root certificate in question, this may be the only way. The alternative would be to tell your users that they need a relatively new Java version (which includes the root cert in question). By the way, this is the reason for my first question in this mail: if you already use a very new Java version, and this certificate is not included, this may cause bigger problems - not only for HBCI4Java, but all Java applications working with certificates... Regards -stefan- -- --------------------------------------------------------------------- Stefan Palme Email: pa...@ka... WWW: http://hbci4java.kapott.org GnuPG-Fingerprint: 1BA7 D217 36A1 534C A5AD F18A E2D1 488A E904 F9EC --------------------------------------------------------------------- |
