Unstable SSL certificate path validation under OpenJDK

Question

I've recently detect unstable SSL certificate path validation under

Ubuntu 12.04 LTS (GNU/Linux 3.2.0-26-generic x86_64)
OpenJDK Runtime Environment (IcedTea6 1.11.4) (6b24-1.11.4-1ubuntu0.12.04.1)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

and

Ubuntu 10.04.1 LTS
OpenJDK Runtime Environment (IcedTea6 1.11.4) (6b24-1.11.4-1ubuntu0.10.04.1)
OpenJDK Server VM (build 20.0-b12, mixed mode)

It starts with the following error for an SSL connection to an online banking host:

sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException:  
Path does not chain with any of the trust anchors

I've checked whether or not the root certificate was always included in the keystore ... it was (Baltimore CyberTrust Root). I've double checked the MD5 and SHA1 fingerprints of the sent data with the data shown by the browser certification info dialog... the same ! After that, I've found SSLPoke, a little utility for the SSL communication and use that for subsequent requests:

java -Djavax.net.debug=ssl SSLPoke hbci-pintan.gad.de 443

And this displays the instability: about 8 of 10 requests failed with the error mentioned above, 2 of 10 succeeded. For every failed request, I've sent the same request immediately under Mac OS X 10.7.5 java version "1.6.0_35" with Java(TM) SE Runtime Environment (build 1.6.0_35-b10-428-11M3811), Java HotSpot(TM) 64-Bit Server VM (build 20.10-b01-428, mixed mode). All of these requests were successfully. Therefore, it seems that the validation of such SSL certification paths are unstable under OpenJDK.

Has anybody similar experiences ?

Kind regards
Dominik

Unstable SSL certificate path validation under OpenJDK

Answers (1)

Related Questions