When libraries attack

Programming
Written By

This is something we ran into at work… just a use case in debugging a problem that you can run into.The core of this is we're trying to connect via SSL to a server on the internet. No problem, Java includes all the stuff to make that work seamlessly.Except when it doesn't.We we tried to access a URL and we kept getting an exception that looked like this: 

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Of course the URL, when we're trying it in a browser works just fine. This is a conundrum. The obvious thing in this case is that the root cert isn't trusted. So we add that to the keystore -- to no avail. Ok, let's add the intermediate values to the keystore as well. Still nothing.At this point we think we're about to go mad. Everything checks out and things should be working. The SSL chain is OK.The first crack in the armor of this bug happened when we tried to access this URL on a different machine and it worked. Of course this didn't seem reproducible on other machines so we mostly wrote it off.A night's sleep later I tried some other queries… Eventually I got to a post on a forum that linked to Sun's bug database.It seemed we might've run into a library bug. The description said that subject alternate names in the SSL cert could cause issues. From looking at the cert the previous few days I knew that it had such a beast buried within it. It was a bug in Java < 1.7. We were on 1.6 at the moment.Sure enough, the machine that the contrived test worked on had it's Java upgraded to 1.7 a few weeks ago. The pieces suddenly made sense and fit together.These days we're so used to compilers and their libraries working so well we get ourselves accustomed to not double-checking them when we run into problems. The assumption that the library worked as intended cost us a bunch of time. It's always the assumptions that bite you on the ass.

Previous

Waiting periods
Next

Disorganization