HttpComponents HttpClient
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1320

SSLSocketFactory.createSystemSSLContext causes java.security.UnrecoverableKeyException: Password verification failed

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.2.2, 4.2.3, 4.2.4, 4.3 Alpha1, 4.3 Beta1, 4.3 Final
    • Fix Version/s: 4.2.4, 4.3 Beta1
    • Component/s: HttpClient
    • Labels:
      None
    • Environment:
      Java System Property javax.net.ssl.trustStore is set, but javax.net.ssl.trustStorePassword is not.

      Description

      When the Java System property "javax.net.ssl.trustStore" is specified, but "javax.net.ssl.trustStorePassword" is not, requests are encountering the exception listed below. This is reproducible in version 4.2.1 and looking at the relevant code, it should also be reproducible in all other versions as well.

      This appears to be fixed if the password value for loading the keystore falls back to null instead of the empty string. I'm not sure if this problem also exists with the "javax.net.ssl.keyStore" logic as well, but I suspect it does.

      The workaround is to set the "javax.net.ssl.trustStorePassword" appropriately, assuming that you know the correct value.

      Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
      at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
      at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
      at java.security.KeyStore.load(KeyStore.java:1185)
      at org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:281)
      at org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:366)
      ... 37 more
      Caused by: java.security.UnrecoverableKeyException: Password verification failed
      at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
      ... 41 more

      1. HTTPCLIENT-1320.patch
        0.8 kB
        Abe Backus
      2. HTTPCLIENT_1320.java
        1 kB
        Abe Backus

        Activity

        Hide
        Abe Backus added a comment -

        Thanks Oleg! I tested with 4.2.x using the test case and the actual client that it will be integrated with. This looks good.

        httpclient-4.2.x$ svn info
        Path: .
        URL: https://svn.apache.org/repos/asf/httpcomponents/httpclient/branches/4.2.x
        Repository Root: https://svn.apache.org/repos/asf
        Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68
        Revision: 1454757
        Node Kind: directory
        Schedule: normal
        Last Changed Author: olegk
        Last Changed Rev: 1454724
        Last Changed Date: 2013-03-09 06:41:15 -0800 (Sat, 09 Mar 2013)

        Show
        Abe Backus added a comment - Thanks Oleg! I tested with 4.2.x using the test case and the actual client that it will be integrated with. This looks good. httpclient-4.2.x$ svn info Path: . URL: https://svn.apache.org/repos/asf/httpcomponents/httpclient/branches/4.2.x Repository Root: https://svn.apache.org/repos/asf Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68 Revision: 1454757 Node Kind: directory Schedule: normal Last Changed Author: olegk Last Changed Rev: 1454724 Last Changed Date: 2013-03-09 06:41:15 -0800 (Sat, 09 Mar 2013)
        Hide
        Oleg Kalnichevski added a comment -

        I made some changes to the way default SSL contexts are created and initialized. Instead of using an internal custom routine HttpClient 4.2.x and 4.3 now leverage javax.net.ssl.SSLSocketFactory#getDefault() to create a socket factory with a SSL context based on system properties.

        Please review / re-test.

        Oleg

        Show
        Oleg Kalnichevski added a comment - I made some changes to the way default SSL contexts are created and initialized. Instead of using an internal custom routine HttpClient 4.2.x and 4.3 now leverage javax.net.ssl.SSLSocketFactory#getDefault() to create a socket factory with a SSL context based on system properties. Please review / re-test. Oleg
        Hide
        Oleg Kalnichevski added a comment -

        4.2.4 is likely within a few weeks. I would like to release HttpCore 4.2.4 first.

        Oleg

        Show
        Oleg Kalnichevski added a comment - 4.2.4 is likely within a few weeks. I would like to release HttpCore 4.2.4 first. Oleg
        Hide
        Abe Backus added a comment -

        Thank you! Is there a timeline for the 4.2.4 release?

        Show
        Abe Backus added a comment - Thank you! Is there a timeline for the 4.2.4 release?
        Hide
        Oleg Kalnichevski added a comment -

        Committed to SVN trunk and 4.2.x. Many thanks, Abe, for contributing the fix.

        Oleg

        Show
        Oleg Kalnichevski added a comment - Committed to SVN trunk and 4.2.x. Many thanks, Abe, for contributing the fix. Oleg
        Hide
        Abe Backus added a comment -

        Sample code also attached. Note: This is reproducible when using the SystemDefaultHttpClient.

        Desktop$ java -classpath .:org.apache.httpcomponents.httpcore_4.2.1.jar:org.apache.httpcomponents.httpclient_4.2.1.jar:commons-logging-1.1.1.jar -Djavax.net.ssl.trustStore=cacerts HTTPCLIENT_1320
        executing request https://www.google.com/
        Exception in thread "main" org.apache.http.conn.ssl.SSLInitializationException: Failure initializing default system SSL context
        at org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:368)
        at org.apache.http.conn.ssl.SSLSocketFactory.getSystemSocketFactory(SSLSocketFactory.java:204)
        at org.apache.http.impl.conn.SchemeRegistryFactory.createSystemDefault(SchemeRegistryFactory.java:82)
        at org.apache.http.impl.client.SystemDefaultHttpClient.createClientConnectionManager(SystemDefaultHttpClient.java:118)
        at org.apache.http.impl.client.AbstractHttpClient.getConnectionManager(AbstractHttpClient.java:466)
        at HTTPCLIENT_1320.main(HTTPCLIENT_1320.java:26)
        Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
        at java.security.KeyStore.load(KeyStore.java:1185)
        at org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:281)
        at org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:366)
        ... 5 more
        Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
        ... 9 more

        Show
        Abe Backus added a comment - Sample code also attached. Note: This is reproducible when using the SystemDefaultHttpClient. Desktop$ java -classpath .:org.apache.httpcomponents.httpcore_4.2.1.jar:org.apache.httpcomponents.httpclient_4.2.1.jar:commons-logging-1.1.1.jar -Djavax.net.ssl.trustStore=cacerts HTTPCLIENT_1320 executing request https://www.google.com/ Exception in thread "main" org.apache.http.conn.ssl.SSLInitializationException: Failure initializing default system SSL context at org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:368) at org.apache.http.conn.ssl.SSLSocketFactory.getSystemSocketFactory(SSLSocketFactory.java:204) at org.apache.http.impl.conn.SchemeRegistryFactory.createSystemDefault(SchemeRegistryFactory.java:82) at org.apache.http.impl.client.SystemDefaultHttpClient.createClientConnectionManager(SystemDefaultHttpClient.java:118) at org.apache.http.impl.client.AbstractHttpClient.getConnectionManager(AbstractHttpClient.java:466) at HTTPCLIENT_1320.main(HTTPCLIENT_1320.java:26) Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38) at java.security.KeyStore.load(KeyStore.java:1185) at org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:281) at org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:366) ... 5 more Caused by: java.security.UnrecoverableKeyException: Password verification failed at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769) ... 9 more
        Hide
        Abe Backus added a comment -

        Suggested fix.

        Show
        Abe Backus added a comment - Suggested fix.

          People

          • Assignee:
            Unassigned
            Reporter:
            Abe Backus
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development