Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of
Brought to you by:
kleiner77
Menu
▾
▴
Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
|
From: HBCI4Java (S. Palme) <hbc...@ka...> - 2010-01-11 18:01:13
|
Marcus, you obviously did not get the relevant point. I'm working on HBCI4Java since about the year 2000 or 2001, and until now it NEVER HAPPENED that a bank's SSL server switched to a new certificate which could not be validated by Java's builtin root certificates (at least not when using reasonable up-to-date Java versions). So your case is a special and for sure a temporary one! Automatic SSL certificate validation is a *Java* feature, and I am not the author of Java, but of HBCI4Java, which just USES Java's SSL capabilities. If you are not happy with Java's standard behaviour (i.e. providing a cacert file with the most common root certificates and so being able to automatically verify a lot of certificates), you have to find another way on your own. Of course you CAN completely ignore the provided cacert file and use a self-written certificate-store, which can be updated either at runtime or at compile time or whenever you want. But why do you blame ME for not being able to do this? To quote you: > Do you realize that I have > a) no Idea what banks my users want to use Same applies to me - I have no idea what kind of "certificate validation" users of HBCI4Java want. I just provide the default behaviour included in the JRE. See Javas documentation for more info about how to modify it. > b) no way of knowing when they change certificates Again: why do you blame ME? Do you think *I* know when they change their certificates and have the time to provide always up-to-date keystores with all the required root certificates? > c) a job and a number of other, more imporant software-projects > to care about? Again: why do you blame ME? I'm not responsible for your spare time and what you do with it - and I will not solve your general Java problems. Sorry for the fact that I have released a version of a software project, which is not perfect and does not fulfill everyone's requirements. The next time I will take more care to solve ALL worlds problems in my software projects, including: 1) calculation of PI up to the 1.000st digit, 2) making more peace on earth, and, last but not least, 3) user-managed certificate-stores > You are proposing to sit here for weeks to find all hbci-servers > of all banks on this planet and then to constantly monitor them. I do not. But you seem to think I have to time to do this, just to make *you* happy. You are wrong. > If not, I would risk that my software just does not work > for any random bank with the user blaming me, not his bank > or his own abilities. The same applies to ALL Java software, which uses SSL certificates (in most cases: HTTPS-connections) and which does not include a user- managed certificate store, but relies on the builtin cacert file. So why not ask out there, how other authors solve this problem? > Wouldn´t it be far easier to just connect to the server > at the time the user configures my program, fetch the > certificate and let the user decide if he wants to trust it? > THAT is what I asked if you knew how to do that or knew > (Java-)code that did that so I could integrate this feature. > At runtime my program runs without user-interaction > so I have to ask at configure-time. This may be a solution, if your programm will be run only against a handful of banks, and your users must reconfigure / recompile your application when the certificate changes. But yes, why not, this may be a solution for your problem. But this is not a *HBCI4Java related* problem, so I can only give you the advice to learn how to deal with SSL certificates in Java, and do not blame others for the fact that you don't know. -stefan- > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > HBCI4Java (Stefan Palme) schrieb: > > I thought about the following solution: YOU (as the developer of > > your special application) fetch the missing certificate(s) and > > create a cacert-style file from them using Java's keytool. > > Do you realize that I have > a) no Idea what banks my users want to use > b) no way of knowing when they change certificates > c) a job and a number of other, more imporant software-projects > to care about? > > You are proposing to sit here for weeks to find all hbci-servers > of all banks on this planet and then to constantly monitor them. > > If not, I would risk that my software just does not work > for any random bank with the user blaming me, not his bank > or his own abilities. > > So no user of your application must do anything complicated. > Wouldn´t it be far easier to just connect to the server > at the time the user configures my program, fetch the > certificate and let the user decide if he wants to trust it? > THAT is what I asked if you knew how to do that or knew > (Java-)code that did that so I could integrate this feature. > > At runtime my program runs without user-interaction > so I have to ask at configure-time. > > > Marcus > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAktLXrYACgkQf1hPnk3Z0cTDfwCglxOUlk16oF1veub4+FMm5+tn > WDoAoNP+wyQrJj3P79PCNCd7n2yssBYL > =I1bq > -----END PGP SIGNATURE----- > |
