SSLHandshakeException

[ilippert]

JabRef 5.3--2021-03-29--2948e6d
Linux 5.11.11-200.fc33.x86_64 amd64
Java 15.0.2
JavaFX 16+8

I asked an entry to download the file https://www.serbski-institut.de/os/dnlarchiv/Kleine_Reihe_27_web.2217.pdf and got this error message.

for SSL certificate issues, I would suggets allow the user to add an exception, like a browser would do?

Log File

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
  at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
  at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
  at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
  at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
  at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
  at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
  at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
  at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
  at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
  at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)
  at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
  at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
  at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
  at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
  at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
  at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
  at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
  at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
  at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
  at java.base/java.net.HttpURLConnection.getResponseCode(Unknown Source)
  at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
  at [email protected]/org.jabref.logic.net.URLDownload.openConnection(Unknown Source)
  at [email protected]/org.jabref.logic.net.URLDownload.asInputStream(Unknown Source)
  at [email protected]/org.jabref.gui.externalfiles.FileDownloadTask.call(Unknown Source)
  at [email protected]/org.jabref.gui.externalfiles.FileDownloadTask.call(Unknown Source)
  at [email protected]/org.jabref.gui.util.BackgroundTask$3.call(Unknown Source)
  at [email protected]/org.jabref.gui.util.DefaultTaskExecutor$1.call(Unknown Source)
  at [email protected]/javafx.concurrent.Task$TaskCallable.call(Unknown Source)
  at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
  at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
  at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
  at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
  at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
  at java.base/java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
  at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
  at java.base/sun.security.validator.Validator.validate(Unknown Source)
  at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
  at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
  ... 31 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
  at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
  at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
  ... 36 more

[stefan-kolb]

Reproducible. Browser does not complain.

[Siedlerchr]

Probably some certificates missing in the Java version

[ruanych]

I think for the SSL handshake issue, we can give the user some prompts like a browser and let the user choose whether to trust this site.
Either some certificates missing in the Java version or the certificate of that site has indeed expired.

[ruanych]

I think for the SSL handshake issue, we can give the user some prompts like a browser and let the user choose whether to trust this site.
Either some certificates missing in the Java version or the certificate of that site has indeed expired.

Before downloading the file, check SSL Handshake, like
https://github.com/Ryyyc/jabref/blob/2b37ec73f876b964d69e585abe2b22d18a8bfb4e/src/main/java/org/jabref/gui/fieldeditors/LinkedFileViewModel.java#L473-L491

After the download task is completed, restore the original certificate verification settings
https://github.com/Ryyyc/jabref/blob/2b37ec73f876b964d69e585abe2b22d18a8bfb4e/src/main/java/org/jabref/gui/fieldeditors/LinkedFileViewModel.java#L493-L511

[Siedlerchr]

@ryyyc That looks already like a good idea. Would be cool if you could create a PR°

[ruanych]

@Siedlerchr All right, if there is any need to modify this PR #7657 , please contact me.

[ruanych]

@Siedlerchr Hi, there seem to be some problems when making a pull request.
Some test cases did not seem to pass, but I tested the code on the branch main on the local machine, and some test cases also failed. What should I do?

[Siedlerchr]

Thanks to @ryyyc this should now be fixed in the latest main (currently building)