"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException" - caused by HttpUrlConnector which relies on DefaultSSLSocketFactory value which is not a constant" #4332
Comments
Andremoniy
pushed a commit
to Andremoniy/jersey
that referenced
this issue
Dec 3, 2019
Andremoniy
pushed a commit
to Andremoniy/jersey
that referenced
this issue
Dec 3, 2019
Closed
Andremoniy
added a commit
to Andremoniy/jersey
that referenced
this issue
Dec 3, 2019
Andremoniy
added a commit
to Andremoniy/jersey
that referenced
this issue
Dec 3, 2019
Andremoniy
added a commit
to Andremoniy/jersey
that referenced
this issue
Dec 3, 2019
…ctory assignment is performed on the suc object. It is not uses additional fallback to check that actual SSLContext objects are equal. Fixes eclipse-ee4j#4332 Signed-off-by: Andrey Lebedev <andremoniy@gmail.com>
Andremoniy
changed the title
Andremoniy
changed the title
Andremoniy
changed the title
Andremoniy
added a commit
to Andremoniy/jersey-bug-4332
that referenced
this issue
Dec 17, 2019
|
Dear jersey's developers, I have created a test which reproduces the problem. |
Andremoniy
added a commit
to Andremoniy/jersey
that referenced
this issue
Jan 28, 2020
- the parameter "suc" renamed to "httpsURLConnection" - the "final" keyword is added where missed - no ignored exceptions Fixes eclipse-ee4j#4332 Signed-off-by: Andrey Lebedev <andremoniy@gmail.com>
Andremoniy
added a commit
to Andremoniy/jersey
that referenced
this issue
Jan 28, 2020
…ld" method which throws an exception if the field is not found. Fixes eclipse-ee4j#4332 Signed-off-by: Andrey Lebedev <andremoniy@gmail.com>
|
I ran into this problem as well. Since this ticket and the OpenJDK ticket is still open I'm sharing my (ugly) workaround: Add this line early in your code that is using Jersey: |
|
I have also spent quite a bit of time debugging this issue in my product, only to find that it's been reported variously since 2015 but never fixed. |
|
Same ran into this problem too. |
|
We would love to fix this, but as mentioned, the bug is in the JDK. Jersey can attempt to provide some workaround but there is always a use-case that gets broken with the workaround. @msn-tldr What Jersey do you have the problem with? There were some changes in the latest builds, but we are not sure how to overcome the JDK issue for good. |
cloudera-hudson
pushed a commit
to hortonworks/registry
that referenced
this issue
Jul 13, 2023
…oncurrency issue This is a workaround as described in eclipse-ee4j/jersey#4332, which is related to a JDK bug: https://bugs.openjdk.org/browse/JDK-8160347 In short, HttpsURLConnection.getDefaultSSLSocketFactory is not thread safe, and it can return different objects on different calls. Because of this, concurrent access in Jersey clients can lead to an incorrect SSL socket configuration. An easy workaround is to make sure that HttpsURLConnection.getDefaultSSLSocketFactory is called once before any jersey access. Client applications can still encounter the issue if they start using a jersey client in their own code, but the SR client should be safe from the issue with this change. Change-Id: I920d5b0a1bd6fd5851686ce1285ab2d98e6291bf
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
https://github.com/eclipse-ee4j/jersey/blob/master/core-client/src/main/java/org/glassfish/jersey/client/internal/HttpUrlConnector.java#L302-L304
HttpUrlConnectorsets the custom SSLFactory only when the one in the currentHttpsURLConnectioninstance is the default one:However, there is no guarantee that
HttpsURLConnection.getDefaultSSLSocketFactory()remains a constant. Furthermore, there is an open bug about this issue:https://bugs.openjdk.java.net/browse/JDK-8160347
This leads to the situation when the underlying
HttpsURLConnectiondoesn't receive a custom SSLSocketFactory from the client.The issue is certainly related to this one: #3293 but the fix was not proposed or has not been merged, so the issue is still remains.
Several screenshots with an evidence of this issue I've caught in debug.
On this screenshot we see that the current instance of
HttpUrlConnectorhas a customSSLSocketFactoryinstance with a customTrustManagerwith one trusted certificate.The second screenshot demonstrates, that the
ucobject still has a defaultSSLSocketFactorywith the defaultTrustManagercontaining 88 certificates.The final screenshot shows that even though both
HttpsURLConnection.getDefaultSSLSocketFactory()andsuc.getSSLSocketFactory()have the sameSSLContext, the instances themselves are not equal.This causes apparently
"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException"error because of the wrongly configured truststore.The text was updated successfully, but these errors were encountered: