The trustmanager algorithm SunX509 is outdated, which causes an exception if certificate chain is out of order, but valid

[StefanSperliDerNeicheWaldvogel]

Caused by: sun.security.validator.ValidatorException: Certificate chaining error at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:207) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)

The default trustmanager algorithm used by java and the default algorithm used by the restlet framework are different which results in certificate chains seen as valid in java being "unknown" when called by the restlet framework.

"It should also be noted that this error only comes from the SunX509 TrustManagerFactory, but by default Java will use the PKIX TrustManagerFactory which doesn't have this error. To cause this error, the SunX509 factory must be configured either programmatically or overriding ssl.TrustManagerFactory.algorithm in java.security. Usage of SunX509 TrustManagerFactory is not recommended since SunX509 is considered obsolete and isn't updated since PKIX TrustManagerFactory was introduced." Source: https://access.redhat.com/solutions/1265543

This problem could be fixed by replacing the following field in the default DefaultSslContextFactory: private volatile String trustManagerAlgorithm = System.getProperty( "ssl.TrustManagerFactory.algorithm", "SunX509");

with private volatile String trustManagerAlgorithm = System.getProperty( "ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm());

[kerbymart]

Restlet afaik is already unmaintained. Not sure if you can do a pull-request in this repository for that.