another meaningless ssl exception from sun

Wed, Mar 7, 2007

In the past I’ve had handshake exceptions when doing web services over SSL and at least you can fathom what’s going wrong, as handshake means, well, a handshake. Now, the crappiest error I’ve seen yet for SSL has appeared in Guanxi:

org.guanxi.common.GuanxiException: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

I traced the problem to a bug in the Guanxi Guard that only manifests itself when the Engine and a Guard are running in the same webapp. The Guard probes for the Engine’s certificate then marks it in the servlet context. However, the Guard uses its own ID as the marker. The Engine uses the Guard ID as a marker too. So the problem occurred when the Engine’s WAYFLocation service tried to connect to the Guard’s verifier service over SSL. As the Guard had already marked the wrong entity in the servlet context, the Engine thought it had already probed for the Guard’s certificate. It hadn’t, as it had been fooled by the Guard setting the wrong ID in the servlet context.

So the exception was caused by the Guard’s certificate not being in the Engine’s truststore.

comments powered by Disqus