2

I am trying to make a test SSL connection using the following Java code:

String httpsURL = "https://www.somehost.com";
URL myurl = new URL(httpsURL);
HttpsURLConnection con = (HttpsURLConnection)myurl.openConnection();

InputStream ins = con.getInputStream();
InputStreamReader isr=new InputStreamReader(ins);
BufferedReader in =new BufferedReader(isr);

String inputLine;

while ((inputLine = in.readLine()) != null)
    System.out.println(inputLine);

in.close();

When I connect to Host A everything works fine - the connection is made and the response is received.

However when I connect to Host B, which is secured by a certificate that is issued by the same authority as Host A's, I receive the following exception:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Everything that I have read so far suggests that I need to install the certificates in my keystore, however if that were the solution then why does Host A work whilst Host B doesn't?

As a probably unhelpful aside - if I write a similar piece of C# code then the connection is successfully negotiated for both Hosts A and B - the same applies for navigating to the URL in the browser.

Improve this question

2 Answers 2

Reset to default
2

Most likely causes are,

  1. The Host B uses a self-signed certificate.
  2. The certificate is signed by CA which is not in your trust store.
  3. The cert is signed with an intermediate cert but Host B is misconfigured so it doesn't send the server cert with intermediate cert.

For #1, #2, you need to import the cert or the CA cert into your trust store.

For #3, tell host B to send the intermediate cert.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Note that for #1 & #2, you can also skip the validation, as described at exampledepot.com/egs/javax.net.ssl/trustall.html , though think about what you're doing before doing that.
Host B's cert is signed with the same intermediate cert as Host A. So, option #3 is the most likely possibility. I don't have immediate access to Host B - is there anyway that I could prove this was the case in the meantime? I tried removing the intermediate cert from my browser's certificate store and then browsing to the url. The certificate is presented as valid and the intermediate cert appears in the certificate store again. Does this prove that the intermediate cert is sent from the server, or would/could the browser request it separately for elsewhere?
-1

This probably is because you dont have a valid path for the certificate or maybe because you dont have a CA certificate of verising o some company like that.

Improve this answer

1 Comment

The first item merely restates what the error message says; the rest is just guesswork. -1

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.