목차

Java 7 Upgrade Pitfall

Java 7 에서는 Security 관련 변경사항이 많다.

* Java 7 Compatibility

Sorting Algorithm 변경

private class

SSLv3, MD2, RSA Keysize 1024미만

SSL 인증서 인식 못하는 문제

Unable to Connect to SSL Services due to PKIX Path Building Failed

The source of this error on my Apache 2.4 instance (using a Comodo wildcard certificate) was an incomplete path to the SHA-1 signed root certificate. There were multiple chains in the issued certificate, and the chain leading to a SHA-1 root certificate was missing an intermediate certificate. Modern browsers know how to handle this, but Java 7 doesn't handle it by default (although there are some convoluted ways to accomplish this in code). The result is error messages that look identical to the case of self-signed certificates:

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
  at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
  ... 22 more

In this case, the “unable to find valid certification path to requested target” message is being produced due to the missing intermediate certificate. You can check which certificate is missing using SSL Labs test against the server. Once you find the appropriate certificate, download it and (if the server is under your control) add it to the certificate bundle. Alternatively, you can import the missing certificate locally. Accommodating this issue on the server is a more general solution to the problem.