我试图通过SSL加载页面,但我收到此错误:
PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到所请求目标的有效证书路径
当然,我研究了它,它与我下载的java发行版中没有包含的页面证书有关。这是我加载网站的ceritifcate层次结构:
第一个(全局标志)当然包含在系统中。但是什么是#34;受信任的根CA SHA256 G2"? Firefox表示它已经被GlobalSign签署。此外,ICPEdu可能是缺失的证书吗?如果是这样,我如何将其添加到我的Java代码中的可信证书列表中?
但是等一下......由于GlobalSign是值得信赖的,下面的每个证书都不应该受到信任吗?
正如答案中所指出的,这里是ssl debug:
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://secure.globalsign.com/cacert/icpedusha2g2.crt
,
accessMethod: ocsp
accessLocation: URIName: http://ocsp2.globalsign.com/icpedusha2g2
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 95 F0 A4 84 1A A7 5C 20 36 A6 C5 08 D7 65 42 02 ......\ 6....eB.
0010: E5 77 68 E3 .wh.
]
]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.globalsign.com/gs/icpedusha2g2.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.2]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 26 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 6C .&https://www.gl
0010: 6F 62 61 6C 73 69 67 6E 2E 63 6F 6D 2F 72 65 70 obalsign.com/rep
0020: 6F 73 69 74 6F 72 79 2F ository/
]] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: www.parthenon.biblioteca.unesp.br
DNSName: parthenon.biblioteca.unesp.br
]
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6D BE 57 72 E3 B5 BD A2 0E 16 E3 A9 2F 8B E7 87 m.Wr......../...
0010: F1 4B 27 75 .K'u
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 2D 83 5B 63 56 82 77 74 FB EF 40 C1 7A 88 9B 1B -.[cV.wt..@.z...
0010: 34 37 79 4E 28 A4 79 18 69 25 FE 52 90 B4 79 B7 47yN(.y.i%.R..y.
0020: 90 00 58 CE 21 E6 96 BC E7 5B C3 5D 41 38 51 5E ..X.!....[.]A8Q^
0030: B5 DA D2 EA F6 44 83 FA B7 A8 66 90 77 C9 96 3D .....D....f.w..=
0040: 72 AE 05 5C F2 19 AE 36 43 F6 A5 DF E2 E5 F8 50 r..\...6C......P
0050: D3 CC EF AE 79 29 19 F6 F8 63 C0 26 E9 0C FA 86 ....y)...c.&....
0060: 30 1D BF 00 69 C8 E9 B5 B6 16 BE 6B 5F 63 5B AD 0...i......k_c[.
0070: F5 B4 18 82 0C 53 ED 36 AB 38 61 8B 80 C9 8C 62 .....S.6.8a....b
0080: E6 20 E3 CB 5A 2A 91 C2 CA 6A BE 31 B6 CB 65 57 . ..Z*...j.1..eW
0090: 33 47 43 9A B4 33 5B 45 D9 5E ED C6 7C 2B 0D B3 3GC..3[E.^...+..
00A0: E6 4C 5F 85 EF D0 BE CD 02 1B 6B C1 06 2F 7B F6 .L_.......k../..
00B0: C0 B7 C4 68 F1 F6 92 2B A4 B6 85 08 32 7C 8D 9F ...h...+....2...
00C0: 34 7D 08 5B B4 05 51 C8 E6 C4 29 86 04 32 FA 2B 4..[..Q...)..2.+
00D0: 18 42 56 43 88 DB EE 32 5F CE 8D 88 5E 91 C1 72 .BVC...2_...^..r
00E0: CB 0F FE F3 CA 55 D3 A4 40 57 E0 13 03 3F C9 16 .....U..@W...?..
00F0: 1F FC 31 28 CB 68 06 9F 0F 3A D2 3A 91 65 B2 D8 ..1(.h...:.:.e..
]
***
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
main, called close()
main, called closeInternal(true)
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
答案 0 :(得分:1)
服务器是www.parthenon.biblioteca.unesp.br是not sending its intermediate certificates in the handshake。
服务器管理员可以通过服务器配置中的supplying the missing intermediate certificates更正此问题。
答案 1 :(得分:0)
我认为对你来说最好的事情是看一下从服务器发送到客户端的确切内容。 您可以将证书链发送到浏览器并使用openSSL或更好地通过在线解析器解析它,例如:http://developerutils.com/X509CertificateDecoder.php
您可以添加到服务器日志记录选项: -Djavax.net.debug = SSL,握手 看整个握手过程。
这可以帮助你弄清楚究竟发生了什么。
关于链本身:它发送链并且链的根位于可信CA的列表中,链的其余部分是可信的 - 除非链中的一个证书被撤销或过期。