Opened 5 years ago

Closed 5 years ago

#1115 closed defect (fixed)

"self-signed certificate or untrusted certificate authority" while reseeding w/ proper cert

Reported by: killyourtv Owned by: meeh
Priority: major Milestone: 0.9.9
Component: www/reseed Version: 0.9.8.1
Keywords: java6 Cc: meeh@…
Parent Tickets:

Description

I2P: 0.9.8.1
Java: IcedTea6 1.12.6 (6b27-1.12.6-1~deb7u1)
Debian Wheezy x64 and Squeeze i386 (Tails)

Reproduced with both the .jar installer and Debian package. I first saw this in Tails but was able to reproduce it on a 'normal system' too.

The correct certificate is in $INSTALL_DIR/certificates/reseed.info.crt but it seems I2P is not using it. The cert was verified with gnutls-cli and certtool.

11/6/13 10:50:53 AM INFO  [JobQueue 4/4] networkdb.reseed.ReseedChecker: Downloading peer router information for a new I2P installation
11/6/13 10:50:56 AM ERROR [Reseed      ] net.i2p.util.SSLEepGet        : SSL negotiation error with reseed.info:443 - self-signed certificate or untrusted certificate authority?
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1715)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1168)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:545)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:963)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1208)
	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:674)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:119)
	at java.io.OutputStream.write(OutputStream.java:75)
	at net.i2p.util.SSLEepGet.sendRequest(SSLEepGet.java:664)
	at net.i2p.util.EepGet.fetch(EepGet.java:517)
	at net.i2p.util.EepGet.fetch(EepGet.java:482)
	at net.i2p.util.EepGet.fetch(EepGet.java:472)
	at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.readURL(Reseeder.java:475)
	at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.reseedOne(Reseeder.java:327)
	at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.reseed(Reseeder.java:280)
	at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.run2(Reseeder.java:164)
	at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.run(Reseeder.java:149)
	at java.lang.Thread.run(Thread.java:679)
	at net.i2p.util.I2PThread.run(I2PThread.java:85)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224)
	at sun.security.validator.Validator.validate(Validator.java:235)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
	at net.i2p.util.SSLEepGet$SavingTrustManager.checkServerTrusted(SSLEepGet.java:402)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1160)
	... 19 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319)
	... 25 more
11/6/13 10:50:56 AM ERROR [Reseed      ] uter.networkdb.reseed.Reseeder: EepGet failed on https://reseed.info/
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1715)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1168)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:545)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:963)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1208)
	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:674)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:119)
	at java.io.OutputStream.write(OutputStream.java:75)
	at net.i2p.util.SSLEepGet.sendRequest(SSLEepGet.java:664)
	at net.i2p.util.EepGet.fetch(EepGet.java:517)
	at net.i2p.util.EepGet.fetch(EepGet.java:482)
	at net.i2p.util.EepGet.fetch(EepGet.java:472)
	at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.readURL(Reseeder.java:475)
	at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.reseedOne(Reseeder.java:327)
	at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.reseed(Reseeder.java:280)
	at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.run2(Reseeder.java:164)
	at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.run(Reseeder.java:149)
	at java.lang.Thread.run(Thread.java:679)
	at net.i2p.util.I2PThread.run(I2PThread.java:85)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224)
	at sun.security.validator.Validator.validate(Validator.java:235)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
	at net.i2p.util.SSLEepGet$SavingTrustManager.checkServerTrusted(SSLEepGet.java:402)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1160)
	... 19 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319)
	... 25 more

Subtickets

Change History (10)

comment:1 follow-up: Changed 5 years ago by zzz

  • Cc meeh@… added
  • Component changed from other to router/netdb
  • Owner set to zzz

Note that a lot of the SSL stuff was refactored early in the 0.9.9 cycle and the certs have moved from certificates/ to certificates/ssl/, so need to test both trunk and release to get to the bottom of this...

I have not yet tried reseeding on 0.9.8.1-0

comment:2 in reply to: ↑ 1 Changed 5 years ago by killyourtv

Replying to zzz:

Note that a lot of the SSL stuff was refactored early in the 0.9.9 cycle and the certs have moved from certificates/ to certificates/ssl/, so need to test both trunk and release to get to the bottom of this...

Me too (in case I wasn't clear in my explanation.

  • verified SSLEepGet (java -cp lib/i2p.jar net.i2p.util.SSLEepGet https://reseed.info/) works both on 0.9.8.1-0 and 0.9.8.1-21 (running from $I2P so it can find the certs)

This did not work for me with 0.9.8.1-21 on the same test system.

This also didn't work on the test system. On my workstation running 0.9.8.1-21 it worked fine. My workstation's default java is Java 7. With Java 6, however:

$ /usr/lib/jvm/java-1.6.0-openjdk-amd64/bin/java -version
java version "1.6.0_27"
OpenJDK Runtime Environment (IcedTea6 1.12.6) (6b27-1.12.6-1)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
$ TZ=UTC /usr/lib/jvm/java-1.6.0-openjdk-amd64/bin/java  -cp lib/i2p.jar net.i2p.util.SSLEepGet https://reseed.info
FAILED (probably due to untrusted certificates) - Run with -s option to save certificates

** Wed Nov 06 19:41:51 UTC 2013
** Attempt 0 of https://reseed.info failed
** Transfered 0 with unknown remaining
** sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
== Wed Nov 06 19:41:51 UTC 2013
== Transfer of https://reseed.info failed after 1 attempts
== Transfer size: 0 with unknown remaining
== Transfer time: 270ms
== Transfer rate: 000,00KBps

With Java 7:

$ java -version
java version "1.7.0_25"
OpenJDK Runtime Environment (IcedTea 2.3.12) (7u25-2.3.12-4)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)
$ TZ=UTC java -cp lib/i2p.jar net.i2p.util.SSLEepGet https://reseed.info
##
== Wed Nov 06 19:42:31 UTC 2013
== Transfer of https://reseed.info completed with 2422 bytes transferred
== Output saved to null (2422 bytes)
== Transfer time: 595ms
== Transfer rate: 003,98KBps

It's also fine on my RaspberryPi? with JDK8:

$ /opt/jdk1.8.0/bin/java -version
java version "1.8.0-ea"
Java(TM) SE Runtime Environment (build 1.8.0-ea-b109)
Java HotSpot(TM) Client VM (build 25.0-b51, mixed mode
$ /opt/jdk1.8.0/bin/java -cp lib/i2p.jar net.i2p.util.SSLEepGet https://reseed.info
##
== Wed Nov 06 19:47:22 UTC 2013
== Transfer of https://reseed.info completed with 2422 bytes transferred
== Output saved to null (2422 bytes)
== Transfer time: 11s
== Transfer rate: 000.20KBps

So it seems to be broken in Java 6 but fine in Java 7 and 8.

Last edited 5 years ago by killyourtv (previous) (diff)

comment:3 Changed 5 years ago by killyourtv

  • Keywords java6 added

comment:4 Changed 5 years ago by zzz

Hmph. That's important info. It makes it harder but maybe lower priority.

I don't see anything unusual in that cert.

comment:5 Changed 5 years ago by zzz

  • Owner changed from zzz to meeh
  • Status changed from new to assigned

When using -Djavax.net.debug=ssl on the java command line for eepget, I get a completely different cert when using java 6 than when using java 7. It's negotiating down to RC4 and using some other cert. At this point it looks like an SSL setup problem on the server side. Reassiging to Meeh to work with the server op.

Java 7:

java version "1.7.0_25"
OpenJDK Runtime Environment (IcedTea 2.3.10) (7u25-2.3.10-1ubuntu0.13.04.2)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)
*** ClientHello, TLSv1
RandomCookie:  GMT: xxxx bytes = { xxxx }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: reseed.info]
***
main, WRITE: TLSv1 Handshake, length = 183
main, READ: TLSv1 Handshake, length = 85
*** ServerHello, TLSv1
RandomCookie:  GMT: xxxx bytes = { xxxx }
Session ID:  {216, 19, 91, 2, 146, 138, 94, 100, 209, 91, 89, 37, 170, 199, 46, 184, 120, 130, 35, 135, 146, 251, 162, 11, 69, 184, 53, 80, 69, 5, 206, 225}
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
Extension server_name, server_name: 
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]
** TLS_RSA_WITH_AES_256_CBC_SHA
main, READ: TLSv1 Handshake, length = 850
*** Certificate chain
chain [0] = [
[
  Version: V1
  Subject: CN=reseed.info, OU=reseed, O=I2P, L=HH, ST=Some-State, C=AU
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 23209086155408442446330649815359245471651419369080710521546277093344168634527972267940524637997033838865725075042947235958985355902092249051421280502046101840062754905525389198600659141746627346185048625415054623982963038361442334883530283117516704346769955754978560281322063708919577869738066453076251623462685817463891629126076507814336516382461650773482443749496726431685907873862957947020233244169401747977716442849779312419917876963722180310961399169126734043215319758082798070666572754636040004308950957026906616152116677063359388085424320340383783981339153730157644187041654305594488028017679852898135031735629
  public exponent: 65537
  Validity: [From: Sat Oct 27 14:57:43 EDT 2012,
               To: Mon Dec 05 13:57:43 EST 2016]
  Issuer: CN=reseed.info, OU=reseed, O=I2P, L=HH, ST=Some-State, C=AU
  SerialNumber: [    c29bf66b 99a962f7]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 2B E9 10 6F 88 10 D6 E1   B9 CF 0D 37 1D B6 CB 53  +..o.......7...S
0010: 0D D6 98 5F DC B3 A2 1F   B3 CD E1 81 D1 D5 11 DB  ..._............
0020: A1 8A A0 E8 E9 48 8B 5B   07 D9 EB B1 6D 5E 27 6C  .....H.[....m^'l
0030: 1B 6E 57 C6 05 4A 17 85   C9 8D 07 22 87 5D 71 DE  .nW..J.....".]q.
0040: 8C C8 66 BA B1 E3 75 E8   B6 06 E2 DB 4E C9 27 37  ..f...u.....N.'7
0050: C0 CF 29 7B B9 50 5F 73   72 0E 1C 29 09 31 83 35  ..)..P_sr..).1.5
0060: CE 70 D6 25 68 5E 3E B1   FC 05 5C 31 C9 E3 07 BF  .p.%h^>...\1....
0070: F2 F7 6E 56 09 32 A3 C4   7A EB 9E 37 FD 28 7F 9C  ..nV.2..z..7.(..
0080: 83 2F AB 6B 25 45 3E 30   C0 80 4E 55 C3 1B D9 7C  ./.k%E>0..NU....
0090: 65 6D DC 07 5B D5 C0 2C   0C FD B2 DA 3E E0 61 FD  em..[..,....>.a.
00A0: 18 00 B6 E1 FF 27 82 5B   8E A4 78 A3 32 73 8E 22  .....'.[..x.2s."
00B0: 8E 1D 1E 26 D0 E6 13 3D   29 C0 E9 1D EC CF D2 E8  ...&...=).......
00C0: 0C 4C 0C 52 D8 D9 AD 55   A8 70 02 A6 B6 22 3A 6A  .L.R...U.p...":j
00D0: 47 B6 84 43 6C 0B BF 14   33 0E AA D7 A3 DD CB F7  G..Cl...3.......
00E0: 7F 9B D8 52 91 51 05 C7   0E EB 9D FE 7F F0 D2 45  ...R.Q.........E
00F0: 55 DC 36 88 1A 29 0E B0   96 B2 A1 A9 D1 FB D1 C3  U.6..)..........

]
***
Found trusted certificate:
[
[
  Version: V1
  Subject: CN=reseed.info, OU=reseed, O=I2P, L=HH, ST=Some-State, C=AU
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 23209086155408442446330649815359245471651419369080710521546277093344168634527972267940524637997033838865725075042947235958985355902092249051421280502046101840062754905525389198600659141746627346185048625415054623982963038361442334883530283117516704346769955754978560281322063708919577869738066453076251623462685817463891629126076507814336516382461650773482443749496726431685907873862957947020233244169401747977716442849779312419917876963722180310961399169126734043215319758082798070666572754636040004308950957026906616152116677063359388085424320340383783981339153730157644187041654305594488028017679852898135031735629
  public exponent: 65537
  Validity: [From: Sat Oct 27 14:57:43 EDT 2012,
               To: Mon Dec 05 13:57:43 EST 2016]
  Issuer: CN=reseed.info, OU=reseed, O=I2P, L=HH, ST=Some-State, C=AU
  SerialNumber: [    c29bf66b 99a962f7]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 2B E9 10 6F 88 10 D6 E1   B9 CF 0D 37 1D B6 CB 53  +..o.......7...S
0010: 0D D6 98 5F DC B3 A2 1F   B3 CD E1 81 D1 D5 11 DB  ..._............
0020: A1 8A A0 E8 E9 48 8B 5B   07 D9 EB B1 6D 5E 27 6C  .....H.[....m^'l
0030: 1B 6E 57 C6 05 4A 17 85   C9 8D 07 22 87 5D 71 DE  .nW..J.....".]q.
0040: 8C C8 66 BA B1 E3 75 E8   B6 06 E2 DB 4E C9 27 37  ..f...u.....N.'7
0050: C0 CF 29 7B B9 50 5F 73   72 0E 1C 29 09 31 83 35  ..)..P_sr..).1.5
0060: CE 70 D6 25 68 5E 3E B1   FC 05 5C 31 C9 E3 07 BF  .p.%h^>...\1....
0070: F2 F7 6E 56 09 32 A3 C4   7A EB 9E 37 FD 28 7F 9C  ..nV.2..z..7.(..
0080: 83 2F AB 6B 25 45 3E 30   C0 80 4E 55 C3 1B D9 7C  ./.k%E>0..NU....
0090: 65 6D DC 07 5B D5 C0 2C   0C FD B2 DA 3E E0 61 FD  em..[..,....>.a.
00A0: 18 00 B6 E1 FF 27 82 5B   8E A4 78 A3 32 73 8E 22  .....'.[..x.2s."
00B0: 8E 1D 1E 26 D0 E6 13 3D   29 C0 E9 1D EC CF D2 E8  ...&...=).......
00C0: 0C 4C 0C 52 D8 D9 AD 55   A8 70 02 A6 B6 22 3A 6A  .L.R...U.p...":j
00D0: 47 B6 84 43 6C 0B BF 14   33 0E AA D7 A3 DD CB F7  G..Cl...3.......
00E0: 7F 9B D8 52 91 51 05 C7   0E EB 9D FE 7F F0 D2 45  ...R.Q.........E
00F0: 55 DC 36 88 1A 29 0E B0   96 B2 A1 A9 D1 FB D1 C3  U.6..)..........

]
main, READ: TLSv1 Handshake, length = 4
*** ServerHelloDone

Java 6:

java version "1.6.0_27"
OpenJDK Runtime Environment (IcedTea6 1.12.6) (6b27-1.12.6-1ubuntu0.13.04.2)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
*** ClientHello, TLSv1
RandomCookie:  GMT: xxxx bytes = { xxxx }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
main, WRITE: TLSv1 Handshake, length = 177
main, WRITE: SSLv2 client hello message, length = 173
main, READ: TLSv1 Handshake, length = 81
*** ServerHello, TLSv1
RandomCookie:  GMT: xxxx bytes = { xxxx }
Session ID:  {185, 175, 197, 27, 160, 246, 220, 101, 131, 38, 147, 125, 209, 135, 47, 228, 5, 206, 63, 175, 221, 21, 237, 251, 121, 29, 170, 161, 192, 7, 132, 148}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
main, READ: TLSv1 Handshake, length = 832
*** Certificate chain
chain [0] = [
[
  Version: V1
  Subject: CN=www.69me.de, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 28031389167149177172508214210439479711034758346562796710929006454043419638158296175947542114327481698441692769568174621943850380878386088445163081073813991724807962693817768327956307325501518584519456866490282034748933905256684903041948865474821013310751372716055839767605564746176148962241473267983167225192814100564584115274937205041554112141894381389949964225780967334613627678429531691907385577996438155208685621119323084918089531673251509421994572710528765745903858180345624559090857314493942184160574849476523350188735993041525095143501953759627066160287788242326730404159222668533549850115031711262392462185517
  public exponent: 65537
  Validity: [From: Fri Nov 02 08:18:50 EDT 2012,
               To: Sat Nov 02 08:18:50 EDT 2013]
  Issuer: CN=www.69me.de, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
  SerialNumber: [    8641adc5 b4bdc185]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 15 08 C0 7C D6 3C 4D F6   43 6F AC A1 9A 23 65 65  .....<M.Co...#ee
0010: B7 CD 96 8F 57 7D 2E 6C   40 C9 34 02 D5 FD 65 1B  ....W..l@.4...e.
0020: 05 60 14 1A E9 22 4C 21   1F 39 AE 77 21 18 76 66  .`..."L!.9.w!.vf
0030: A0 D3 64 0F F4 32 DC 43   82 3F 2C D7 B9 3D D1 4B  ..d..2.C.?,..=.K
0040: E8 CC DF 97 74 0D A1 85   DE 68 97 A2 01 98 70 91  ....t....h....p.
0050: 06 D2 33 60 D8 10 DF 67   19 A1 14 FF 2D 8B 25 6B  ..3`...g....-.%k
0060: DF 00 7E F9 BD CB A7 FA   82 25 EC 2B E7 B5 D4 33  .........%.+...3
0070: 75 96 26 B5 C2 B4 36 08   C2 C1 8F C2 0F DE C3 C9  u.&...6.........
0080: 94 64 2C D8 C9 76 42 94   BE 97 F5 94 EE 04 81 FF  .d,..vB.........
0090: 8D 85 E4 A6 CD 52 E8 E7   FE 6E FC 3C 13 A9 27 CF  .....R...n.<..'.
00A0: BB 28 5F 6F 82 F6 A4 0D   5E E8 CF 60 2F 3C 80 3E  .(_o....^..`/<.>
00B0: 63 F8 9F 1F A0 4E 81 F3   63 9E 02 07 F9 32 B9 89  c....N..c....2..
00C0: 39 24 E6 38 20 96 86 01   6D C5 60 14 98 AF CF E9  9$.8 ...m.`.....
00D0: C1 75 88 48 2A D0 8B A6   9F 07 6F 4D 83 C5 A5 A5  .u.H*.....oM....
00E0: 68 8D AA 3F F2 0B E5 F9   2B D7 93 8A 19 61 D8 CB  h..?....+....a..
00F0: A7 D2 4F DC 5A 08 3A 25   80 26 B6 DD 14 85 12 B4  ..O.Z.:%.&......

]
***
main, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
FAILED (probably due to untrusted certificates) - Run with -s option to save certificates

comment:6 Changed 5 years ago by killyourtv

I'll test later whether this may be a problem with other reseed hosts too.

comment:7 Changed 5 years ago by killyourtv

It is just this host. Proof:

kytv@i2pservices2:~/i2p$ for I in $(cat ../reseed.txt); do $JAVA -cp lib/i2p.jar net.i2p.util.SSLEepGet $I; done
##
== Thu Nov 07 16:30:20 CET 2013
== Transfer of https://193.150.121.66/netDb/ completed with 2492 bytes transferred
== Output saved to null (2492 bytes)
== Transfer time: 1176ms
== Transfer rate: 002.07KBps
##
== Thu Nov 07 16:30:22 CET 2013
== Transfer of https://cowpuncher.drollette.com/netdb/ completed with 2516 bytes transferred
== Output saved to null (2516 bytes)
== Transfer time: 1392ms
== Transfer rate: 001.77KBps
########
== Thu Nov 07 16:30:32 CET 2013
== Transfer of https://i2p.mooo.com/netDb/ completed with 8701 bytes transferred
== Output saved to null (8701 bytes)
== Transfer time: 8s
== Transfer rate: 001.03KBps
########
== Thu Nov 07 16:30:34 CET 2013
== Transfer of https://ieb9oopo.mooo.com completed with 8425 bytes transferred
== Output saved to null (8425 bytes)
== Transfer time: 831ms
== Transfer rate: 009.90KBps

== Thu Nov 07 16:30:36 CET 2013
== Transfer of https://netdb.i2p2.de/ completed with 68 bytes transferred
== Output saved to null (68 bytes)
== Transfer time: 777ms
== ETag: "d63725904dbae88ed4e419670f991cff"
== Transfer rate: 000.09KBps
##
== Thu Nov 07 16:30:42 CET 2013
== Transfer of https://netdb.i2p2.no/ completed with 2495 bytes transferred
== Output saved to null (2495 bytes)
== Transfer time: 5s
== Transfer rate: 000.41KBps
##
== Thu Nov 07 16:30:46 CET 2013
== Transfer of https://reseed.i2p-projekt.de/ completed with 2072 bytes transferred
== Output saved to null (2072 bytes)
== Transfer time: 2320ms
== Transfer rate: 000.87KBps
FAILED (probably due to untrusted certificates) - Run with -s option to save certificates

** Thu Nov 07 16:30:52 CET 2013
** Attempt 0 of https://reseed.info/ failed
** Transfered 0 with unknown remaining
** sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
== Thu Nov 07 16:30:52 CET 2013
== Transfer of https://reseed.info/ failed after 1 attempts
== Transfer size: 0 with unknown remaining
== Transfer time: 5s
== Transfer rate: 000.00KBps
########
== Thu Nov 07 16:30:55 CET 2013
== Transfer of https://reseed.pkol.de/ completed with 8700 bytes transferred
== Output saved to null (8700 bytes)
== Transfer time: 1343ms
== Transfer rate: 006.33KBps

comment:8 Changed 5 years ago by meeh

I've sent mail to the server owner. Awaiting reply.

comment:9 Changed 5 years ago by zzz

  • Component changed from router/netdb to www/reseed

dg reports that ssllabs.com is a good resource for diagnosis of SSL server issues

comment:10 Changed 5 years ago by killyourtv

  • Resolution set to fixed
  • Status changed from assigned to closed

This problem appears to have been resolved thanks to Meeh, zzz, and the reseed host.

Note: See TracTickets for help on using tickets.