Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: EJBCA 6.14.1.1
-
Fix Version/s: EJBCA 6.15.1
-
Component/s: None
-
Labels:None
-
Sprint:EJBCA Sprint 21 Team Bob
Description
When running ant test:runws now almost all tests fail with:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Enabling debugging with -Dtests.jvmargs="-Djavax.net.debug=ssl:handshake -Djava.security.debug=certpath,provider" narrows down the issue to
... trustStore is: /etc/pki/java/cacerts ... %% Invalidated: [Session-86, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] main, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
which implies that Java's built in truststore is used instead of the one we try to set in the WS tests by specifying
System.setProperty("javax.net.ssl.trustStore", TEST_ADMIN_FILE);
System.setProperty("javax.net.ssl.trustStorePassword", PASSWORD);
System.setProperty("javax.net.ssl.keyStore", TEST_ADMIN_FILE);
System.setProperty("javax.net.ssl.keyStorePassword", PASSWORD);
The working theory is that some other part of the JVM does a TLS connection before the WS test code runs which will initiate the default socket factory and that already initiate socket factory will be used for WS connections without re-checking our configured properties.
Changing this to using a custom socket factory for new connections like the following resolves the issue:
HttpsURLConnection.setDefaultSSLSocketFactory(getSSLFactory(TEST_ADMIN_FILE, PASSWORD.toCharArray()));