tags:

views:

186

answers:

2
+1  Q: 

Steps to trouble shoot SSL

Hi, I am trying to trouble shoot a two way SSL handshake mechanism. I get an error

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This indicates that one of my keystore or my truststore files does not have the appropriate entries. I know the way to trouble shoot this is to go to the server's truststore do the keytool list check the signing authorities and come to the client's key/truststore and verify this.

Can someone list these steps clearly (with the appropriate commands) please? Googling is not leading me anywhere. I just need a list of steps of "How can I confirm that Client X can talk to Server Y with two way SSL using Cert Z"?

+3  A: 

The SunCertPathBuilderException exception is thrown whenever there the certificate validator fails to establish a chain between the certificate and a root certificate.

The easiest way to confirm that the certificate validates is to use a graphical tool like

The above tools are recommended since the exception is usually thrown in the absence of a root certificate.

If you want to examine what certificates are getting exchanged, it is better to switch on the ssl debug flag on the JVM node where the validation is failing.

Another option is to use a network traffic capture utility like Ethereal or Microsoft Netmon to obtain a dump of the traffic containing the certificate exchanges.

PS: Are you using the right keystore in the first place? I remember doing the same mistake many moons ago...

Vineet Reynolds  2009-09-29 14:14:19
Hi Vineet,I have access to the certificates. I want to know what entries do I compare ? There is just so much information in the certificate. Is there a good link on HOW TO READ a certificate?
Calm Storm  2009-09-29 14:18:09
Are you using the right keystore in the first place? How can I determine this ? I know I have to compare something in the bin/keytool output but what is it?
Calm Storm  2009-09-29 14:20:30
The keystore for a JVM is normally set at startup, although you can change this later using a System.setProperty() call. Therefore, if your JRE's keystore is different from the one you are using to store the certificates, you will see this exception especially when the JRE's keystore does not have the intermediate or trusted CA certs.
Vineet Reynolds  2009-09-29 14:43:59
By the way, if you want to validate the certificate chain, use KeyTool IUI. Load the keystore using the tool, and it should present you with the certificates in it; you can view the certificate chain by choosing an appropriate 'key entry'. Using KeyTool IUI you will be able to verify if the cert validates at the sender. The recipient is where the error is encountered, and you need to look for corresponding intermediate and root certs at the recipient, as you have found in the sender.
Vineet Reynolds  2009-09-29 15:07:00
A: 

If the server is live, you can test to see what certificate are being given out at http://www.sslshopper.com/ssl-checker.html

Otherwise, you can run this keytool command to view what certificates are in the keystore:

keytool -list -v -keystore keystore.jks

That will show you if you have the correct primary and intermediate certificate installed in the keystore.

Robert  2009-09-30 02:58:20

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java