SSLPeerUnverifiedException in OpenJDK-6

Xuelei Fan xuelei.fan at oracle.com
Wed Sep 12 03:41:32 PDT 2012 

On 9/12/2012 6:37 PM, Hitesh Bhanushali wrote:
> Thanks Xuelei for the reply!
> 
> So is this order required in OpenJDK-6 specifically? Because, things are
> working fine with OpenJDK-7 and SunJDK 6-7 on client side with the same
> server.
> 
We tolerant out-of-order certificate list [1] in JDK 7, and updated JDK
6. But the fix has not been backported to OpenJDK 6.

If it is possible, the server should always use ordered list. Otherwise,
it is not granted to work with all SSL/TLS vendors.

Xuelei

[1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6899503

> ~Hitesh
> 
> On Wed, Sep 12, 2012 at 3:43 PM, Xuelei Fan <xuelei.fan at oracle.com
> <mailto:xuelei.fan at oracle.com>> wrote:
> 
>     Per the request of SSL/TLS protocols, see section 7.2 of RFC5246:
> 
>        certificate_list
>           This is a sequence (chain) of certificates.  The sender's
>           certificate MUST come first in the list.  Each following
>           certificate MUST directly certify the one preceding it.
> 
>     From the logs, the server, www.elabs11.com <http://www.elabs11.com>,
>     does not send the
>     certificate list compliant with above spec.  The certificate list in the
>     server side is out-of-order, the following certificate does not certify
>     the one preceding it.
> 
>     Xuelei
> 
>     > Hi,
>     >
>     > I have a JAVA Springs web application, which talks to external
>     services
>     > over HTTPS, using 'javax.net.ssl.HttpsURLConnection'. It used to work
>     > fine since ages, but starting with 14th August 2012, its throwing
>     > 'SSLPeerUnverifiedException' for 'https://www.elabs11.com'. The issue
>     > seems particularly with OpenJDK-6. It's working fine with
>     Sun-6-JDK and
>     > OpenJDK-7.
>     >
>     > Here is my Java configuration:
>     > /java version "1.6.0_24"
>     > OpenJDK Runtime Environment (IcedTea6 1.11.4)
>     > (6b24-1.11.4-1ubuntu0.12.04.1)
>     > OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode) /
>     >
>     > There was one build (34th) rolled out on 14th Aug
>     >
>     (http://en.wikipedia.org/wiki/Java_version_history#Java_6_updates), but
>     > my OpenJDK is running 24th build. (/May be just a coincidence/)
>     >
>     > PFA my application logs with OpenJDK-6, OpenJDK-7 and SunJDK-6. I have
>     > also attached the sample Java code I am testing with.
>     >
>     > Any pointer in this regard will be appreciated.
>     >
>     > Thanks,
>     > Hitesh
>     >
>     >
> 
> 
> 
> 
> -- 
> Hitesh Bhanushali

More information about the jdk6-dev mailing list