Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of
Brought to you by:
kleiner77
Menu
▾
▴
Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
|
From: Marcus W. <Ma...@Wo...> - 2010-01-11 16:43:59
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 HBCI4Java (Stefan Palme) schrieb: > Hi > > Although you have solved the issue already, here some comments from me: > > On Sun, 2010-01-10 at 20:50 +0100, Marcus Wolschon wrote: >> The bank switched CAs and the CA they chose this time is not in >> the default Java-Truststore sun provides. > > Can you tell me, which java version you are using and which CA > certificate is missing in the standard cacert truststore? This > may be an important information for other users, too. I was using 1.6.0.07 . The certificate is the one Comdirect uses. I have no idea how to obtain that as I have no client nor code that can open an SSL-dialog for FinTS/HBCI and save the certificate to a PEM or DER -file. > On Mon, 2010-01-11 at 06:11 +0100, Marcus Wolschon wrote: >>> If I understand it correctly, you could use the parameter >>> client.passport.PinTan.certfile to specify a file that you ship >>> along with your code that will be used by HBCI4Java. This file >>> could contain any (root or immediate) certificate that will be >>> needed to communicate with the host. >> Do you know any way of doing this at configuration-time inside the >> program? Preferably one that works with any version of the hbci-protocol. >> (I don´t know much about how hbci and FinTS work on the network-layer.) > > This stuff is totally independent of HBCI4Java - it's a feature of > the Java runtime environment itself (see the Java docs). You can > import SSL certificates into an own truststore file (one similar to > the provided cacert file) using "keytool". I know that it is possible to add a certificate with keytool but a) that does not cover the important part of optaining the certificate in the first place b) that is not "inside the program" but would require an advanced user that can be trusted to perform such operations on the command-line without help. > > With HBCI4Java's kernel parameter client.passport.PinTan.certfile > you can specify the name of such a file, which will then be used > by Java's SSL engine in addition the the standard cacert file. I know that. >> I don´t think it´s an option to ship and update the certificates of >> every bank the user could configure with the software. > > Of course, you are right. But if you work with an "older" Java version, > which does not yet include the (maybe very new) root certificate in > question, this may be the only way. How do you combine "not an option" and "the only way"? Both are mutually exclusive answers. > > By the way, this is the reason for my first question in this mail: if > you already use a very new Java version, and this certificate is not > included, this may cause bigger problems - not only for HBCI4Java, but > all Java applications working with certificates... 1.6.0.07 I know their HTTP-certificare is a EV.cert from VeriSign but I have no idea about their FinTS -certificate > > Regards > -stefan- > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAktLVTIACgkQf1hPnk3Z0cQOYQCfWvQH+n4BSEAD61DyXZij0Cz4 TqkAnjI5SZvPuVx5P9/aXUuzZGs9vlED =4u5z -----END PGP SIGNATURE----- |
