Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of
Brought to you by:
kleiner77
Menu
▾
▴
Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
|
From: Rolf V. <ro...@we...> - 2010-01-15 00:54:26
|
> > I'm not sure how long the option client.passport.PinTan.checkcert has > > been available and documented, it could very well have been that this > > option didn't exist in an older version of the library > > Just FYI: This was one of the very first options that have been > implemented, because the test server which I have used in the "old days" > did not have an "official" SSL certificate, so I had to disable > certification checking to be able to work in HBCI-PIN/TAN at all :-) Ah, I see :) > With HBCI4Java's kernel parameter client.passport.PinTan.certfile > you can specify the name of such a file, which will then be used > by Java's SSL engine in addition the the standard cacert file. Oops, I didn't know that the provided keystore is used as an addition to the regular one, I thought it would be used as a replacement. SORRY about that. But still, what I have written in my previous mail should work nicely, and should be safe and understandable. Also, if you use the Java keystore of a recent JDK version, you don't have to add much, and if you ship the result along with the app, it should work even if the user has installed a very much older Java version. So the results should be identical on his/her and your computer. Which is what you want :) > > I donŽt think itŽs an option to ship and update the certificates of > > every bank the user could configure with the software. > > Of course, you are right. But if you work with an "older" Java version, > which does not yet include the (maybe very new) root certificate in > question, this may be the only way. > > The alternative would be to tell your users that they need a relatively > new Java version (which includes the root cert in question). > > By the way, this is the reason for my first question in this mail: if > you already use a very new Java version, and this certificate is not > included, this may cause bigger problems - not only for HBCI4Java, but > all Java applications working with certificates... I think that possibly the intermediate certificate in the chain is the culprit: Certificate chain according to Firefox: 1.: "Builtin Object Token: Equifax Secure CA" (since 22.08.1998 18:41:51) 2.: "TC TrustCenter SSL CA I" (since 15.08.2008 18:45:15) 3.: "hbci.comdirect.de" (since 30.09.2009 12:45:25) Java 1.6.0.07 seems to be older than 15.08.2008 (for example, I found a message in a board, dated "Jul 13, 2008 5:21 AM" where someone wants to download this exact Java version). So certificate #2 can't possibly be included. > Regards > -stefan- Rolf |
