OpenJDK throws "certificate chaining errors"

Question

When using openjdk-7-jre-headless (1.7.0_25) on Ubuntu (12.04.3 LTS), I am unable to establish SSL/TLS connections to https://api.runkeeper.com/ (issued by GeoTrust):

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate chaining error

Other servers (e.g. https://foursquare.com/, issued by DigiCert) work fine, and if I use java-7-oracle (1.7.0_45) there is no problem, either.

I copied /usr/lib/jvm/java-7-oracle/jre/lib/security/cacerts to /etc/ssl/certs/java/cacerts, but get the same error (if I remove latter file, no SSL connections work, so the file is being used). Other ideas?

Answer 1

It may be that the certificate chain is being presented out-of-order. I've seen this a few times with self-signed certs - perhaps these vendors are having the same issue.

Lots of software (e.g. all major browsers AFAIK) deal with this by sorting the certificate chain before it gets to the Validator.

I wrote a blog post a while back about how to deal with this on Android, but the same code should work with openjdk.

See http://blog.chariotsolutions.com/2013/01/https-with-client-certificates-on.html