Modify

#23377 closed defect (wontfix)

Java certificate error on a map layer

Reported by: anonymous Owned by: team
Priority: normal Milestone:
Component: Core imagery Version: latest
Keywords: template_report imagery Cc:

Description

What steps will reproduce the problem?

  1. Add https://basemaps.atlas.gov.tr/hava/{zoom}/{x}/{y}.png as a TMS layer.
  2. Open map layer in JOSM.

What is the expected result?

Should work just fine, as it does on iD.

What happens instead?

It throws out meaningless Java certificate errors.

Please provide any additional information below. Attach a screenshot if possible.

Relative:URL: ^/trunk
Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b
Last:Changed Date: 2023-08-24 17:23:11 +0200 (Thu, 24 Aug 2023)
Revision:18821
Build-Date:2023-08-25 01:30:59
URL:https://josm.openstreetmap.de/svn/trunk

Identification: JOSM/1.5 (18821 en) Linux Arch Linux
Memory Usage: 1043 MB / 1718 MB (415 MB allocated, but free)
Java version: 11.0.21+9, Oracle Corporation, OpenJDK 64-Bit Server VM
Look and Feel: com.sun.java.swing.plaf.gtk.GTKLookAndFeel
Screen: :0.0 1920×1080 (scaling 1.00×1.00)
Maximum Screen Size: 1920×1080
Best cursor sizes: 16×16→16×16, 32×32→32×32
Environment variable LANG: tr_TR.UTF-8
System property file.encoding: UTF-8
System property sun.jnu.encoding: UTF-8
Locale info: en_TR
Numbers with default locale: 1234567890 -> 1234567890
Desktop environment: KDE
VM arguments: [--add-opens=java.desktop/javax.swing.text.html=ALL-UNNAMED, -Djosm.restart=true]
Dataset consistency test: No problems found

Plugins:
+ Mapillary (2.2.0)
+ PicLayer (1.0.3)
+ apache-commons (36176)
+ ejml (36176)
+ geotools (36176)
+ jackson (36176)
+ jaxb (36118)
+ jts (36004)
+ opendata (36186)
+ reverter (36126)
+ utilsplugin2 (36178)

Tagging presets:
+ https://raw.githubusercontent.com/yopaseopor/traffic_signs_preset_JOSM/master/TR.zip
+ https://josm.openstreetmap.de/josmfile?page=Presets/LaneAttributes&zip=1
+ https://raw.githubusercontent.com/osmlab/name-suggestion-index/main/dist/presets/nsi-josm-presets.min.xml

Last errors/warnings:
- 00436.722 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 00436.730 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 00436.733 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 00436.736 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 00436.749 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 00436.781 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 00436.784 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 00436.795 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 00436.800 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 00436.804 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Attachments (0)

Change History (7)

comment:1 by stoecker, 13 months ago

Resolution: irreproducible
Status: newclosed

Can neither ping nor connect to the server from different networks. It's either Geo-blocked or broken. In both cases there's nothing we can do.

comment:2 by anonymous, 13 months ago

@stoecker: can confirm that it's geoblocked (used some vpn, and confirmed that it doesn't work in iD in such a case). this is very unfortunate, but still there should be something that could be done... as it is a java error and the server works perfectly besides geoblocking.

comment:3 by stoecker, 13 months ago

Please provide information about the used certificate and the certificate chain the server sends.

Last edited 13 months ago by stoecker (previous) (diff)

comment:4 by anonymous, 13 months ago

Certificate chain

0 s:CN=*.atlas.gov.tr

i:C=TR, O=E-TUGRA EBG BILISIM TEKNOLOJILERI VE HIZMETLERI ANONIM SIRKETI, CN=E-Tugra TLS RSA SubCA R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 17 14:18:07 2023 GMT; NotAfter: Oct 16 14:18:07 2024 GMT


*trimmed*


---
Server certificate
subject=CN=*.atlas.gov.tr
issuer=C=TR, O=E-TUGRA EBG BILISIM TEKNOLOJILERI VE HIZMETLERI ANONIM SIRKETI, CN=E-Tugra TLS RSA SubCA R1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

comment:5 by stoecker, 13 months ago

Resolution: irreproducible
Status: closedreopened

Hmm, I only find a security incident for this: https://bugzilla.mozilla.org/show_bug.cgi?id=1801345

Can you please connect with openssl

openssl s_client -connect basemaps.atlas.gov.tr:443 -showcerts

and post the whole output?

P.S. I wonder why it works with iD for you. Java under Linux uses the system CAs. That means your system doesn't know the CA while your browser knows it.

comment:6 by anonymous, 13 months ago

Connecting to 95.0.28.170
CONNECTED(00000003)
depth=0 CN=*.atlas.gov.tr
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=*.atlas.gov.tr
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=*.atlas.gov.tr
verify return:1
---
Certificate chain
 0 s:CN=*.atlas.gov.tr
   i:C=TR, O=E-TUGRA EBG BILISIM TEKNOLOJILERI VE HIZMETLERI ANONIM SIRKETI, CN=E-Tugra TLS RSA SubCA R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct 17 14:18:07 2023 GMT; NotAfter: Oct 16 14:18:07 2024 GMT
-----BEGIN CERTIFICATE-----
MIIG+jCCBOKgAwIBAgIQJmgCOSfIVRh8kU8XXeVEETANBgkqhkiG9w0BAQsFADB5
MQswCQYDVQQGEwJUUjFHMEUGA1UECgw+RS1UVUdSQSBFQkcgQklMSVNJTSBURUtO
T0xPSklMRVJJIFZFIEhJWk1FVExFUkkgQU5PTklNIFNJUktFVEkxITAfBgNVBAMM
GEUtVHVncmEgVExTIFJTQSBTdWJDQSBSMTAeFw0yMzEwMTcxNDE4MDdaFw0yNDEw
MTYxNDE4MDdaMBkxFzAVBgNVBAMMDiouYXRsYXMuZ292LnRyMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk+dHPCvw5Y+JAKwYdQmD//ulUyuDXWWMwQGP
rSD2kghkX/sqP57KkZUQEthh0qyeZfHkcLTr43TIpZ32FquoExl2srM0Yp1u7Z4N
Ofp7tp6yCoZc85ceIy1YDTEid/hKbvc6KaswAZ4Cp5OkqXhIYUiR+ruB/5tHEKbJ
1HVLdleX9meQBdL67uxvGmMgkdDjr4iMMshBi3K6NcyocWa2rMUXdGBR5fXzCa34
terTVZZIkliU/j9NNowrGrAEjruoEvzeO/SeiRteLHBnEADNOE/dpK3dqz22Glzs
38rjggTtZArqpMFa+gBv96NtJ+6S+d3ARPNCz0xoD7+9OjBTrQIDAQABo4IC3DCC
AtgwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQAOByzF+ma4Yf7vXxka5trNawS
mTBpBggrBgEFBQcBAQRdMFswNwYIKwYBBQUHMAKGK2h0dHA6Ly9jZXJ0LnNzbC5j
b20vRVR1Z3JhLVRMUy1JLVJTQS1SMS5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v
Y3Nwcy5zc2wuY29tMCcGA1UdEQQgMB6CDiouYXRsYXMuZ292LnRyggxhdGxhcy5n
b3YudHIwIwYDVR0gBBwwGjAIBgZngQwBAgEwDgYMKwYBBAGCqTABAwEBMB0GA1Ud
JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA8BgNVHR8ENTAzMDGgL6AthitodHRw
Oi8vY3Jscy5zc2wuY29tL0VUdWdyYS1UTFMtSS1SU0EtUjEuY3JsMA4GA1UdDwEB
/wQEAwIFoDCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYASLDja9qmRzQP5WoC
+p0w6xxSActW3SyB2bu/qznYhHMAAAGLPgl95AAABAMARzBFAiAjkbXqVIchdogC
6qwXSFsQH3SSdHNKfMyc/xMBavFptwIhAP4FyGoC/QTTASbLDVABWDEJD5AvEFp9
MfTpbMyAIBrLAHYA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGL
Pgl9zAAABAMARzBFAiBhGaWhyd8p9z2gm7Klov8SNX1gIDkVY+sg6WE2vmUE6gIh
AOx5OHxFw1vuL+M7s0CkLLTT8wU9xUnsncIvcYn/ESA/AHcAPxdLT9ciR1iUHWUc
hL4NEu2QN38fhWrrwb8ohez4ZG4AAAGLPgl9zQAABAMASDBGAiEA6ftZfoqljObk
i4XrGPnqZrEcliXE+/MCZwehTCnHdjECIQDMVlRFLa3Hwr8PrqJQ7mpISIANmmqD
noz9YIu3ZkJr3zANBgkqhkiG9w0BAQsFAAOCAgEACbeDKYpkmhPUUcRfzed5FzVH
GvzE3aImOr9zcrivZS+5+DVeciAokNh63+SlJHJGYi6bIeGs68YEReY62Vb1hgiG
PFH+PxXHrOqZPp+wxoGIr3JGAZfFaxgjaMIJ7yIUA42+BzrCyJop123BaSatx1vO
KdW+aOX0va3Oj/QMRxEX/IiE1z3Tj19YaR6NeuRCEWgrE+H8pvMbSdROEnnqUPt5
s8YZ6BuR4c0mmvIftprpoP21f0u/4F6pv0ILR4XeK1PlHK6Sc2q5pNKvf5ETbHBz
CGE0i8AWobT7sa9kM+wBP8W70ApbmOJSLqzlQ2dkkmky3rMH2r8dvCR1PLl7jFA9
ub8YFtmQ1JOp844qLS8ymCK9mB/A7QLZrSeEB4B9EiGApLl16vqpbhrdTkLX5xkA
JWNipRPn/rMvQPzpA86/DrF+TT1DsVoCAh6uolgXXikmHQGrjhfkQhVUK/eP93WX
eD2jLwc1sjLup5sBj28Z2xCds8IU8oYaPFvc2cH5XC4MQmswM9WC2YYtpw+fgD5f
Az9/oizJomrI2HhaMkXmZnxPV9SfWZ8+yteqjglWohAI/W1hKrbIr516BDzrwmiX
xqu554M+Sjnq1pSCdebrqJnO3a/nDgSReyQrzegGi/7XbG+WiJbW06a313pvbnwo
uWwbUbDM/cPSMmmHRUA=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=*.atlas.gov.tr
issuer=C=TR, O=E-TUGRA EBG BILISIM TEKNOLOJILERI VE HIZMETLERI ANONIM SIRKETI, CN=E-Tugra TLS RSA SubCA R1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2350 bytes and written 409 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: A0A51934DBB3667C0B260C55370FDCFD5BBE322A2ACFABE05D5BD1F726535631
    Session-ID-ctx: 
    Resumption PSK: 2E673E93A3BA82D77B25A0394CC96446BD4FAC3F54E611D51B8978D6E4A857EE721D666FA0A14920CCBBE71C36D52000
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 52 94 0f 22 9d 23 e3 36-19 10 b3 3d 70 59 48 18   R..".#.6...=pYH.
    0010 - a1 18 a7 49 f8 8f 77 48-5d 0d d5 c7 83 54 2d 29   ...I..wH]....T-)
    0020 - 14 ae f8 aa 31 9b bb 7a-86 b1 84 4a 6e 06 89 db   ....1..z...Jn...
    0030 - ec 7d f5 eb 82 77 43 49-a8 bb fe af 73 bf dc 25   .}...wCI....s..%
    0040 - b7 43 2c 44 fa c3 12 0f-1d f3 13 4b 96 f6 cc 4f   .C,D.......K...O
    0050 - d4 4d 72 7e 7b 78 26 6a-04 8b a5 65 67 de e2 ae   .Mr~{x&j...eg...
    0060 - 5b 10 02 0a ec 9b 74 81-d8 6c 6e b4 de ba 08 1c   [.....t..ln.....
    0070 - 2a bf 5c b9 90 70 87 a2-b9 b3 15 92 d6 e4 3d 74   *.\..p........=t
    0080 - 0e b1 3a 6e ba 14 81 39-37 85 bd 23 a5 36 04 f5   ..:n...97..#.6..
    0090 - f0 10 c8 b7 cd 91 5e 1c-5d 14 01 02 9c 78 2d 14   ......^.]....x-.
    00a0 - 45 5c 87 98 9b 23 38 31-cf 4c ea 61 7a c6 1f 5a   E\...#81.L.az..Z
    00b0 - 1b bd aa 38 e7 44 b9 1a-b6 df 7f 59 6e 7e 23 7c   ...8.D.....Yn~#|
    00c0 - 44 2c 68 2d 13 7b 05 2a-83 58 96 63 93 79 cf d9   D,h-.{.*.X.c.y..
    00d0 - 5c 44 e8 9f d4 d6 6b c0-5f 3b 39 65 ff 15 53 f1   \D....k._;9e..S.
    00e0 - a6 08 d5 5f e9 a9 56 ae-ef ac 21 b8 a3 b0 6f cc   ..._..V...!...o.

    Start Time: 1704121512
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: D25A43E346C6D03B1E29B56E4263E68FF5E7A05D1FE3F2918ED536EE72939B00
    Session-ID-ctx: 
    Resumption PSK: 3334039511E8E248D2228440BC813DEDE01F2B7DA6FDB54383FE15190EE1D7639ED53D88E767CC509D63CEA64603DB27
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 52 94 0f 22 9d 23 e3 36-19 10 b3 3d 70 59 48 18   R..".#.6...=pYH.
    0010 - 47 99 54 a1 e8 9a c8 18-8d 07 ef 2a d5 f6 83 19   G.T........*....
    0020 - 64 db e2 40 83 59 2d 98-da 2a 16 39 a7 47 bb da   d..@.Y-..*.9.G..
    0030 - 64 6e 53 10 09 20 29 a7-fe 50 4e da 51 62 8a 3c   dnS.. )..PN.Qb.<
    0040 - 39 6e 64 90 6b f1 a6 85-52 e9 2f 11 95 54 6d 0f   9nd.k...R./..Tm.
    0050 - 2c 6f ca 92 17 21 5d f9-dd 62 c9 76 07 1a 8f b2   ,o...!]..b.v....
    0060 - 52 3d 1e e3 91 f5 8e e3-e5 b8 e0 a4 80 6e e4 f8   R=...........n..
    0070 - cb 9d 82 b3 a1 49 80 8e-fb 04 92 44 3e 2a 4c e1   .....I.....D>*L.
    0080 - ae 12 a9 b4 7c 03 57 22-7d fa 4f 4d 99 87 85 37   ....|.W"}.OM...7
    0090 - ec 8f 77 fa 2f 9d c7 83-c8 38 44 bc 8e 47 c2 56   ..w./....8D..G.V
    00a0 - 06 23 21 14 8a 69 1c 89-b9 58 1c 36 90 44 b4 ed   .#!..i...X.6.D..
    00b0 - b3 00 d1 05 f7 74 b5 39-e7 44 1c cf 25 27 3d 93   .....t.9.D..%'=.
    00c0 - 11 fd 4a 86 be 70 0c 34-29 26 f2 be 34 ec a6 71   ..J..p.4)&..4..q
    00d0 - e6 16 fd 7c 24 2b 18 6c-e9 4a 1b 40 41 3c 93 eb   ...|$+.l.J.@A<..
    00e0 - dd 99 7b 8c 00 01 d3 d5-33 4a 5a 0f c0 8a 8d 89   ..{.....3JZ.....

    Start Time: 1704121512
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

Yep, it's totally weird. I also wonder that too.
And, I didn't notice it at first but seems like OpenSSL throws out some errors while the browser (Firefox) does not throw any errors, at all.

comment:7 by stoecker, 13 months ago

Resolution: wontfix
Status: reopenedclosed

I assume you need to download and install https://ssl.com/repo/certs/ETugra-TLS-I-RSA-R1.der (from this site https://www.ssl.com/repository/). Note that it is in DER format. You probably need to convert it first to .pem. Search for your system how to install certs. In the past you simply copied the pem file to /etc/ssl/certs and run c_rehash. That probably still works, but I'm sure it's not the preferred way nowadays.

We wont support this in JOSM, as it was removed from the list of trustworthy certs: https://github.com/advisories/GHSA-xqr8-7jwr-rhp7, https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A

P.S. As it was removed for CA issues: It's probably better if you do no install the CA, but only the single cert itself. You can take this from the openssl output above.

Other solutions:

  • Try http instead of https. Maybe it works
  • Wait a bit. I'm sure they will switch to another cert provider.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.