Test suite fails with SSLHandshakeException

[dstenger]

SUT: https://wfst.axl.aero/AxlRest/wfs?service=WFS&version=2.0.0&request=GetCapabilities

Environments (error occurs on all environments):

• Prod: http://cite.opengeospatial.org/teamengine/
• Beta: http://cite.opengeospatial.org/te2/
• Docker: https://github.com/opengeospatial/teamengine-docker/tree/master/teamengine-ets-wfs20

TEAM Engine displays following error:

Test tns:Main type Mandatory default result Passed (s0255)

Assertion: The test subject satisfies all applicable constraints.

Form d1e46_1: fid= wfs-uri=https://wfst.axl.aero/AxlRest/wfs?service=WFS&version=2.0.0&request=GetCapabilities

Error in call to extension function {public java.lang.Object com.occamlab.te.TECore.callFunction(net.sf.saxon.expr.XPathContext,java.lang.String,java.lang.String,net.sf.saxon.om.NodeInfo) throws java.lang.Exception}: Exception in extension function net.sf.saxon.s9api.SaxonApiException: Error in call to extension function {public javax.xml.transform.Source org.opengis.cite.iso19142.TestNGController.doTestRun(org.w3c.dom.Document) throws java.lang.Exception}: Exception in extension function java.lang.RuntimeException: Failed to parse resource located at https://wfst.axl.aero/AxlRest/wfs?service=WFS&version=2.0.0&request=GetCapabilities Result: Failed

Log shows following (snipped):

... Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source) at org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:177) at org.opengis.cite.iso19142.util.URIUtils.resolveURIAsDocument(URIUtils.java:59) at org.opengis.cite.iso19142.SuiteFixtureListener.processWfsParameter(SuiteFixtureListener.java:82) ... 65 more ...

Complete error log is attached: log.txt

[keshavnangare]

@dstenger

[1] : https://wfst.axl.aero/AxlRest/wfs?service=WFS&version=2.0.0&request=GetCapabilities

This issue is occurring due to the service URL [1]. I have tested this service URL[1] it is failing with SSL error but it worked with other RI.

I think the issue is with the server not with the wfs test.

[dstenger]

I agree, the error does not occur with all services.

Following Java property can be used to enhance SSL logging:

-Djavax.net.debug=SSL,handshake,data,trustmanager

[keshavnangare]

Following is the snippet which is having the exact cause of this issue. The DOM parser is not able to detect the valid SSL certificate

https://github.com/opengeospatial/ets-wfs20/blob/9151fcc1cbe2c50089707c7de6414af31708dcc3/src/main/java/org/opengis/cite/iso19142/util/URIUtils.java#L59

After adding the Java property we debug log: log.txt

[keshavnangare]

@dstenger

SUT: https://wfst.axl.aero/AxlRest/wfs?service=WFS&version=2.0.0&request=GetCapabilities

Tested on: OS: Windows 8.1 JAVA:

         java version "1.8.0_162"
         Java(TM) SE Runtime Environment (build 1.8.0_162-b12)
         Java HotSpot(TM) 64-Bit Server VM (build 25.162-b12, mixed mode)

I have manually added a certificate to the Java Keystore but the same error has occurred.

1. DigiCertGlobalRootCA.crt (When I am trying to add this Certificate it says already exists means the Java Keystore already has this Certificate.)
2. wfst.axl.aero.cert

I have tried with the above two certificates.

Tested on: OS: Ubuntu 14.04 LTS JAVA:

         java version "1.8.0_73"
         Java(TM) SE Runtime Environment (build 1.8.0_73-b02)
         Java HotSpot(TM) 64-Bit Server VM (build 25.73-b02, mixed mode)

The same issue is produced in the Linux environment.

Opinion:

After adding the JAVA debugging property we got some certificate. According to the SSL debug log the JAVA is not able to find or maybe the server is not returning valid Certificate.

Here is the reference link for (How to check the client-server SSL certificate communication) I think the server is not returning the trusted certificate that is the reason for client failure.

According to the SSL debug log the server is not returned the trusted Certificate, maybe the issue is with the server so we need to configure the server.

[dstenger]

I checked the HTTPS connection with several tools. E.g.

• https://www.sslshopper.com/ssl-checker.html
• https://cryptoreport.websecurity.symantec.com/checker/
• https://www.ssllabs.com/ssltest/analyze.html

All tools confirm that the intermediate certificate is missing.

This certificate should be provided by the requested server. Thus, an installation error of the SSL certificates could be the cause of this problem.

Executed test:

• Manual download of intermediate certificate: https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt
• Add certificate to trust store (test was done on Docker environment).
  • keytool -import -file DigiCertSHA2SecureServerCA.crt -keystore cacerts -storepass changeit
• --> After having done all those changes, service can be validated via HTTPS.

Nevertheless, this bug should be resolved on the server side as intermediate certificates should not be added to trust store.

Further reading:

• https://www.digicert.com/ssl-support/certificate-not-trusted-error.htm
• https://www.sslshopper.com/ssl-certificate-not-trusted-error.html

[lgoltz]

As far as I see the same problem is described in https://github.com/opengeospatial/teamengine/issues/312. Validation with the three tools listed above seems to be fine.

[dstenger]

Maintainer of [1] installed intermediate certificate on SUT.

Now, the error does not occur any more and [1] can successfully be validated by [2].

--> Issue is solved.

[1] https://wfst.axl.aero/AxlRest/wfs?service=WFS&version=2.0.0&request=GetCapabilities [2] http://cite.opengeospatial.org/teamengine/