Problem with trusted certificates

678 views
Skip to first unread message

Pavel Fila

unread,
Mar 30, 2017, 1:30:43 PM3/30/17
to pushy
Hi,
previously we were struggling with the netty-tcnative library. That seems to be working now, pushy passes connect() successfully.

The initialization is as follows:

SocketAddress socketAddress = new InetSocketAddress(proxyHost, proxyPort);
String username = isNotEmpty(proxyUsername) ? proxyUsername : null;
String password = isNotEmpty(proxyUsername) ? proxyPassword : null;
ProxyHandlerFactory proxyHandlerFactory = new HttpProxyHandlerFactory(socketAddress, username, password);

ApnsClientBuilder builder = new ApnsClientBuilder()
.setClientCredentials(new File("c:/devenv/apnscerts/APNS_Sandbox.p12"), "blahablah");
.setProxyHandlerFactory(proxyHandlerFactory);

apnsClient = builder.build();
boolean connected = apnsClient.connect(ApnsClient.DEVELOPMENT_APNS_HOST).await(requestTimeout);

// connected == true


But then when we try to send the actual notification

PushNotificationResponse<SimpleApnsPushNotification> response = apnsClient.sendNotification(pushNotification).get(requestTimeout, TimeUnit.SECONDS);

it throws SSL problem:

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.handler.proxy.ProxyHandler.channelRead(ProxyHandler.java:255)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:438)
        at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:255)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:624)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:559)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:476)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:438)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
        at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:144)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
        at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:634)
        at io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:404)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:832)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:935)
        at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:200)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1119)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1041)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411)
        ... 25 more
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:90)
        at sun.security.validator.Validator.getInstance(Validator.java:179)
        at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:314)
        at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:173)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:241)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
        at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:223)
        at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:630)
        ... 33 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
        at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
        at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:88)
        ... 40 more


So we tried to download the api.development.push.apple.crt from apple's api.development.push.apple.com:443 site and put it as the trusted certificate chain:


ApnsClientBuilder builder = new ApnsClientBuilder()
.setClientCredentials(new File("c:/devenv/apnscerts/APNS_Sandbox.p12"), "blahablah")
.setTrustedServerCertificateChain(new File("C:/devenv/api.development.push.apple.crt"))
.setProxyHandlerFactory(proxyHandlerFactory);

apnsClient = builder.build();



But that resulted in another SSL engine problem:

javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
        at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:634)
        at io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:404)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:832)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:935)
        at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:200)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1119)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1041)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.handler.proxy.ProxyHandler.channelRead(ProxyHandler.java:255)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:438)
        at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:255)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:624)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:559)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:476)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:438)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
        at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:144)
        at java.lang.Thread.run(Thread.java:745)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested
target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
        at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:223)
        at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:630)
        ... 33 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
        ... 40 more

Now it looks like we are lacking fresh ideas where to look for error...

Cheers
Pavel

Jon Chambers

unread,
Mar 30, 2017, 2:07:47 PM3/30/17
to Pavel Fila, pushy
I thiiiiiiink what's going wrong here is that you're saying with setTrustedServerCertificateChain(new File("C:/devenv/api.development.push.apple.crt")) that the contents of that certificate represent the entirety of your trust chain. What's in that file? Is it just the server's certificate, or does it contain the entire chain of certificates up to the root CA?

-Jon

Pavel

--
Pushy is an open-source Java library for sending APNs (iOS and OS X) push notifications. Pushy is brought to you by the engineers at RelayRides.
---
You received this message because you are subscribed to the Google Groups "pushy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pushy-apns+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Pavel Fila

unread,
Mar 30, 2017, 2:39:35 PM3/30/17
to pushy, pavel.jar...@gmail.com
Well we hope it's the whole chain. We have very restricted environment so we downloaded that certificate with some old portable version of Firefox that only allowed that. So I'm no 100% sure it's the correct cert altough it looks like it really is for development push. The domains looks fine.

Would there be the 100% correct cert for download somewhere?

cheers
Pavel
To unsubscribe from this group and stop receiving emails from it, send an email to pushy-apns+...@googlegroups.com.

Jon Chambers

unread,
Mar 30, 2017, 2:41:48 PM3/30/17
to Pavel Fila, pushy
I'm not sure; most systems already trust Apple's root CA, so this is the first time I'm seeing this issue and don't have a certificate ready to go.

Can you send me a copy of the certificate file (Apple's—not yours) you're using? I can at least take a look and make sure it looks non-crazy.

-Jon

To unsubscribe from this group and stop receiving emails from it, send an email to pushy-apns+unsubscribe@googlegroups.com.

Pavel Fila

unread,
Mar 31, 2017, 5:50:22 AM3/31/17
to pushy, pavel.jar...@gmail.com
The cert(chain) attached. Do you see a problem there?
api.development.push.apple.crt

Pavel Fila

unread,
Apr 3, 2017, 12:41:59 PM4/3/17
to pushy, pavel.jar...@gmail.com
Have you checked that? Does it look suspicious?
pavel

Jon Chambers

unread,
Apr 3, 2017, 3:48:58 PM4/3/17
to Pavel Fila, pushy
That looks like a complete and correct certificate chain to me; I'm not sure what might be going wrong here. Have you tried a minimal test case where you attempt to establish a TLS (not necessarily HTTP/2) connection to the APNs server without using Pushy?

-Jon

To unsubscribe from this group and stop receiving emails from it, send an email to pushy-apns+unsubscribe@googlegroups.com.

Pavel Fila

unread,
Apr 6, 2017, 9:32:17 AM4/6/17
to pushy, pavel.jar...@gmail.com
All right, thanks for checking. Meanwhile we figured out that the problem is 99% caused by our proxy.
We tested the code on one of our machines with direct connection to the internet and it worked well.

cheers
Pavel
Reply all
Reply to author
Forward
0 new messages