0

首先:我知道,有很多“CertPathValidatorException”线程,我已经检查过了:)

我有以下问题,我只是找不到解决方案。我真的很感激一些帮助。

我们有一个运行 java web 应用程序的 tomcat6。ssl配置似乎没问题。用 fe sslshopper 检查显示没有问题。您可以毫无问题地通过浏览器和 https 进行连接。所以,进去的方式看起来不错。

从 Web 应用程序的一个类中,我们使用 apache HTTPClient(简单 SOAP POST)调用 https Web 服务。当我们这样做时,会抛出异常:



    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:258)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:252)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:610)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:546)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at java.io.FilterOutputStream.flush(FilterOutputStream.java:140)
        at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:502)
        at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1973)
        at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
        at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
        at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
        at net.umbrella.services.webclient.myclimate.MyClimateWebservice.callWebService(MyClimateWebservice.java:151)
        ... 67 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:266)
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:249)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:162)
        at sun.security.validator.Validator.validate(Validator.java:235)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144)
        ... 85 more
Caused by: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:153)

奇怪的是:如果我们在系统上运行我们的单元测试——其中也包含有问题的 HTTPClient 调用——一切都很好。对我来说,这看起来像是 tomcat 配置的问题。如果我使用 sslshopper 检查 Web 服务的提供商,他的证书看起来也不错。

我真的不是该主题的专家,大部分配置都是由我们的主机完成的,也找不到问题(问题在几周前突然出现)。

一个普遍的问题:哪个密钥库用于来自 Web 应用程序的 HTTPClient 调用?系统密钥库或必须由 tomcat 提供的特定密钥库?无论如何,tomcat ssl 配置是否连接到来自 web 应用程序的 https 请求?

谢谢!

此致,

罗伯特

已解决:我们终于解决了这个问题。该系统的基本 jvm 是 SUN JDK,但对于 tomcat,OpenJDK 被定义为 JVM。切换回 SUN JDK 解决了我们所有的问题。

4

1 回答 1

0

回答这个问题的Tomcat方面:

如果您从 Web 应用程序建立 HTTPS 连接,则 Tomcat 零参与该过程。您需要使用 HttpClient 提供的任何 API 来配置 HttpClient。

关于您看到的错误消息,您的信任库似乎不太正确。您可能缺少中级证书吗?

于 2013-03-22T11:58:58.753 回答