B4J Question SSL Error with httpjob and https [solved]

[Didier9]

I have a simple example project that shows the problem.
The example works on a server that does not use https but does not when pointed to another server that runs https, even though calling the same php script directly from Chrome on the same machine (using https) does work.

I am getting this error:

Waiting for debugger to connect...
Program started.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
    at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:242)
    at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:200)
    at okhttp3.internal.connection.RealConnection.buildConnection(RealConnection.java:174)
    at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:114)
    at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:196)
    at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:132)
    at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:101)
    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:179)
    at okhttp3.RealCall.execute(RealCall.java:63)
    at anywheresoftware.b4h.okhttp.OkHttpClientWrapper.executeWithTimeout(OkHttpClientWrapper.java:156)
    at anywheresoftware.b4h.okhttp.OkHttpClientWrapper.access$0(OkHttpClientWrapper.java:153)
    at anywheresoftware.b4h.okhttp.OkHttpClientWrapper$ExecuteHelper.run(OkHttpClientWrapper.java:201)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
    at sun.security.validator.Validator.validate(Validator.java:262)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
    ... 35 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
    ... 41 more
ResponseError. Reason: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, Response:
Error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Note that this runs on a corporate intranet. The project is actually the KMatle MySQL/PHP tutorial that I updated a couple of months ago which runs fine with http.

 

[DonManfred]

Not sure how to use that one

It is a internal library. You should put it into the INTERNAL Library folder inside the installation folder.
Make sure there is NO jokhttputils.* inside the additional library folder.

 

[Didier9]

OK, I finally peeled the onion all the way to the core and it's working. V2.90 and option HU2_ACCEPTALL fixed it.
I had missed the bit about copying the B4xlib file to the library folder under Program Files...
Thank you all for your patience...

 

[Didier9]

Make sure there is NO jokhttputils.* inside the additional library folder.

I still had several files from the original distribution I guess but apparently B4J picked the most recent.
Anyhow, I removed the other files to prevent any issue.

 

[DonManfred]

Anyhow, I removed the other files to prevent any issue.

good idea

 

[KMatle]

jOkHttpUtils2 is a internal library and a b4xlib. It is located in C:\Program Files (x86)\Anywhere Software\B4J\Libraries
It is Version=2.82

1. lol
2. MUCH better than 1.0

 

[Didier9]

The 1.0 was in the user Library folder, I am not sure since when, the date stamp was 2018, probably when I downloaded it.

Apparently, that was not the version I was using, I was using 2.82 which was in the main distribution library folder.

Anyhow, everything is good now.

I am a little curious what that flag HU2_ACCEPTALL does. It sounds ominous. If the problem is that Java is not able to properly process the ssl certificate, are we allowing a work around it?

In my application, it is not a real problem because the server and the clients are on the same subnet that is internal to our division and not accessible from the outside, and our company policy does not actually require that strictly internal traffic be encrypted. We do have divisions abroad and traffic between divisions must be encrypted but not internally to a division.
However, if this approach was used over the open internet, are we compromising security by using this flag?

 

[OliverA]

HU2_ACCEPTALL

This short circuits certificate validation. Even though your connection is still encrypted, the server you are connecting to is blindly trusted. This can enable man in the middle attacks since the intermediate server can serve a fake certificate/stolen certificate and you would be unaware of it (since you would just connect). The appropriate solution in the end would be to figure out why Java does not like your servers certificate.