SHA1 /SHA2 TLS certificate issue at Remote AP OR Java 7 issue while sending document to Peppol network

[aaron-kumar]

We are getting following error, while sending document to peppol network:
Unexpected error during execution of http POST to https://atworklogin.com:8443/oxalis/as2 : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Remote AP have certificate from GoDaddy.
There certificate is set with connection encryption: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits, TLS 1.2.

Additionally I see problem in the way SSL/TLS certificate created:

• They are using 8443 port which is not default port.
• They specified CN starting with "www" but it is not part of URL.

Additionally, I found that we are getting this error only with Java 7 at our end. If I set java version to 8, document goes perfectly fine. But if Java 7 is the case, then why we are not getting error while sending document to other AP.

P.S. There are related issue #168 and #173

[pr0nin]

#260 was related to this as well. We solved it by using Java8 instead of 7.

[aaron-kumar]

OK, that means upgrade to Java 8 is only option. Were you also facing same issue while sending to this particular AP? Or Was it different AP.

[pr0nin]

Same ap. There might be other solutions but we landed on Java8.

1. sep. 2016 8:57 a.m. skrev "Arun Kumar" notifications@github.com:

OK, that means upgrade to Java 8 is only option. You were also facing same
issue while sending to this particular AP? Or Was it different AP.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#261 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAzccA1tYtRKOvnRZBOyKJnHGp3EBepoks5qlndigaJpZM4JyTKq
.

[simakas]

im the guy behind AP in question. here is our env if that may be some sort of incompatibility issue:

version.oxalis: 3.0.2
version.java: 1.7.0_111

previously reported issues where both SHA2 upgrade related, we went for it too early and there was likely very poor java support for it. for 2017 certificates there is no more SHA1 option. for now I can only suspect oxalis or java version incompatibility.

[teedjay]

I guess this is because that GoDaddy root CA was not available in earlier Java versions. So if you use an old Java 7 og old Java 8 runtime you will not be able to verify these HTTPS certs without adding GoDaddy root CA to the trust store manually.

I would recommend to upgrade to a more recent Java 7 runtime (or go with Java 8).

[aaron-kumar]

Yes @teedjay . Thanks for confirming. That was something I was expecting. So java 7 or Java 8 latest upgrade is solution.

[aaron-kumar]

Let us keep this issue open until concerned parties confirm it.

[klakegg]

Concerned parties reopens the issue if @teedjay is not correct.