java:7:pitfall

차이

문서의 선택한 두 판 사이의 차이를 보여줍니다.

차이 보기로 링크

--- java:7:pitfall [2013/10/25 10:37]
kwon37xi
+++ java:7:pitfall [2015/06/23 15:22]
kwon37xi
@@ 줄 28: / 줄 28: @@
   * [[http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8013059|Bug ID: JDK-8013059 Diffie Hellman occasionally results in "invalid padding" exception]]
     * [[https://forums.oracle.com/thread/2506695|SSL intermittent problem when using DH-based ci... | Oracle Forums]]
-    * <code>
+    * I noticed that the bug suggested here (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=2222432) relates to the Diffie-Hellman key exchange, so I tried selecting a cipher which does not use Diffie-Hellman (''-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256'') and the problem went away. So I think we have a workaround.
-I noticed that the bug suggested here (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=2222432) relates to the Diffie-Hellman key exchange, so I tried selecting a cipher which does not use Diffie-Hellman (-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256) and the problem went away. So I think we have a workaround.
-</code>
+===== 문단 제목 =====
+  * [[http://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find|ssl - Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]
+  * [[http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html|PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested target.]]
+The source of this error on my Apache 2.4 instance (using a Comodo wildcard certificate) was an incomplete path to the SHA-1 signed root certificate. There were multiple chains in the issued certificate, and the chain leading to a SHA-1 root certificate was missing an [[https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/966/108/intermediate-1-sha-2-comodo-rsa-certification-authority|intermediate certificate]]. Modern browsers know how to handle this, but Java 7 doesn't handle it by default (although there are some convoluted ways to accomplish this in code). The result is error messages that look identical to the case of self-signed certificates:
+Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
+    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
+    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
+    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
+    ... 22 more
+In this case, the "unable to find valid certification path to requested target" message is being produced due to the missing intermediate certificate. You can check which certificate is missing using [[https://www.ssllabs.com/ssltest/|SSL Labs]] test against the server. Once you find the appropriate certificate, download it and (if the server is under your control) add it to the certificate bundle. Alternatively, you can import the missing certificate locally. Accommodating this issue on the server is a more general solution to the problem.

java/7/pitfall.txt · 마지막으로 수정됨: 2015/12/18 16:36 저자 kwon37xi