Opened 13 months ago
Closed 13 months ago
#23377 closed defect (wontfix)
Java certificate error on a map layer
Reported by: | anonymous | Owned by: | team |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | Core imagery | Version: | latest |
Keywords: | template_report imagery | Cc: |
Description
What steps will reproduce the problem?
- Add https://basemaps.atlas.gov.tr/hava/{zoom}/{x}/{y}.png as a TMS layer.
- Open map layer in JOSM.
What is the expected result?
Should work just fine, as it does on iD.
What happens instead?
It throws out meaningless Java certificate errors.
Please provide any additional information below. Attach a screenshot if possible.
Relative:URL: ^/trunk Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b Last:Changed Date: 2023-08-24 17:23:11 +0200 (Thu, 24 Aug 2023) Revision:18821 Build-Date:2023-08-25 01:30:59 URL:https://josm.openstreetmap.de/svn/trunk Identification: JOSM/1.5 (18821 en) Linux Arch Linux Memory Usage: 1043 MB / 1718 MB (415 MB allocated, but free) Java version: 11.0.21+9, Oracle Corporation, OpenJDK 64-Bit Server VM Look and Feel: com.sun.java.swing.plaf.gtk.GTKLookAndFeel Screen: :0.0 1920×1080 (scaling 1.00×1.00) Maximum Screen Size: 1920×1080 Best cursor sizes: 16×16→16×16, 32×32→32×32 Environment variable LANG: tr_TR.UTF-8 System property file.encoding: UTF-8 System property sun.jnu.encoding: UTF-8 Locale info: en_TR Numbers with default locale: 1234567890 -> 1234567890 Desktop environment: KDE VM arguments: [--add-opens=java.desktop/javax.swing.text.html=ALL-UNNAMED, -Djosm.restart=true] Dataset consistency test: No problems found Plugins: + Mapillary (2.2.0) + PicLayer (1.0.3) + apache-commons (36176) + ejml (36176) + geotools (36176) + jackson (36176) + jaxb (36118) + jts (36004) + opendata (36186) + reverter (36126) + utilsplugin2 (36178) Tagging presets: + https://raw.githubusercontent.com/yopaseopor/traffic_signs_preset_JOSM/master/TR.zip + https://josm.openstreetmap.de/josmfile?page=Presets/LaneAttributes&zip=1 + https://raw.githubusercontent.com/osmlab/name-suggestion-index/main/dist/presets/nsi-josm-presets.min.xml Last errors/warnings: - 00436.722 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 00436.730 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 00436.733 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 00436.736 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 00436.749 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 00436.781 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 00436.784 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 00436.795 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 00436.800 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 00436.804 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Attachments (0)
Change History (7)
comment:1 by , 13 months ago
Resolution: | → irreproducible |
---|---|
Status: | new → closed |
comment:2 by , 13 months ago
@stoecker: can confirm that it's geoblocked (used some vpn, and confirmed that it doesn't work in iD in such a case). this is very unfortunate, but still there should be something that could be done... as it is a java error and the server works perfectly besides geoblocking.
comment:3 by , 13 months ago
Please provide information about the used certificate and the certificate chain the server sends.
comment:4 by , 13 months ago
Certificate chain
0 s:CN=*.atlas.gov.tr
i:C=TR, O=E-TUGRA EBG BILISIM TEKNOLOJILERI VE HIZMETLERI ANONIM SIRKETI, CN=E-Tugra TLS RSA SubCA R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 17 14:18:07 2023 GMT; NotAfter: Oct 16 14:18:07 2024 GMT
*trimmed*
---
Server certificate
subject=CN=*.atlas.gov.tr
issuer=C=TR, O=E-TUGRA EBG BILISIM TEKNOLOJILERI VE HIZMETLERI ANONIM SIRKETI, CN=E-Tugra TLS RSA SubCA R1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
comment:5 by , 13 months ago
Resolution: | irreproducible |
---|---|
Status: | closed → reopened |
Hmm, I only find a security incident for this: https://bugzilla.mozilla.org/show_bug.cgi?id=1801345
Can you please connect with openssl
openssl s_client -connect basemaps.atlas.gov.tr:443 -showcerts
and post the whole output?
P.S. I wonder why it works with iD for you. Java under Linux uses the system CAs. That means your system doesn't know the CA while your browser knows it.
comment:6 by , 13 months ago
Connecting to 95.0.28.170 CONNECTED(00000003) depth=0 CN=*.atlas.gov.tr verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN=*.atlas.gov.tr verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN=*.atlas.gov.tr verify return:1 --- Certificate chain 0 s:CN=*.atlas.gov.tr i:C=TR, O=E-TUGRA EBG BILISIM TEKNOLOJILERI VE HIZMETLERI ANONIM SIRKETI, CN=E-Tugra TLS RSA SubCA R1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Oct 17 14:18:07 2023 GMT; NotAfter: Oct 16 14:18:07 2024 GMT -----BEGIN CERTIFICATE----- MIIG+jCCBOKgAwIBAgIQJmgCOSfIVRh8kU8XXeVEETANBgkqhkiG9w0BAQsFADB5 MQswCQYDVQQGEwJUUjFHMEUGA1UECgw+RS1UVUdSQSBFQkcgQklMSVNJTSBURUtO T0xPSklMRVJJIFZFIEhJWk1FVExFUkkgQU5PTklNIFNJUktFVEkxITAfBgNVBAMM GEUtVHVncmEgVExTIFJTQSBTdWJDQSBSMTAeFw0yMzEwMTcxNDE4MDdaFw0yNDEw MTYxNDE4MDdaMBkxFzAVBgNVBAMMDiouYXRsYXMuZ292LnRyMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk+dHPCvw5Y+JAKwYdQmD//ulUyuDXWWMwQGP rSD2kghkX/sqP57KkZUQEthh0qyeZfHkcLTr43TIpZ32FquoExl2srM0Yp1u7Z4N Ofp7tp6yCoZc85ceIy1YDTEid/hKbvc6KaswAZ4Cp5OkqXhIYUiR+ruB/5tHEKbJ 1HVLdleX9meQBdL67uxvGmMgkdDjr4iMMshBi3K6NcyocWa2rMUXdGBR5fXzCa34 terTVZZIkliU/j9NNowrGrAEjruoEvzeO/SeiRteLHBnEADNOE/dpK3dqz22Glzs 38rjggTtZArqpMFa+gBv96NtJ+6S+d3ARPNCz0xoD7+9OjBTrQIDAQABo4IC3DCC AtgwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQAOByzF+ma4Yf7vXxka5trNawS mTBpBggrBgEFBQcBAQRdMFswNwYIKwYBBQUHMAKGK2h0dHA6Ly9jZXJ0LnNzbC5j b20vRVR1Z3JhLVRMUy1JLVJTQS1SMS5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v Y3Nwcy5zc2wuY29tMCcGA1UdEQQgMB6CDiouYXRsYXMuZ292LnRyggxhdGxhcy5n b3YudHIwIwYDVR0gBBwwGjAIBgZngQwBAgEwDgYMKwYBBAGCqTABAwEBMB0GA1Ud JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA8BgNVHR8ENTAzMDGgL6AthitodHRw Oi8vY3Jscy5zc2wuY29tL0VUdWdyYS1UTFMtSS1SU0EtUjEuY3JsMA4GA1UdDwEB /wQEAwIFoDCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYASLDja9qmRzQP5WoC +p0w6xxSActW3SyB2bu/qznYhHMAAAGLPgl95AAABAMARzBFAiAjkbXqVIchdogC 6qwXSFsQH3SSdHNKfMyc/xMBavFptwIhAP4FyGoC/QTTASbLDVABWDEJD5AvEFp9 MfTpbMyAIBrLAHYA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGL Pgl9zAAABAMARzBFAiBhGaWhyd8p9z2gm7Klov8SNX1gIDkVY+sg6WE2vmUE6gIh AOx5OHxFw1vuL+M7s0CkLLTT8wU9xUnsncIvcYn/ESA/AHcAPxdLT9ciR1iUHWUc hL4NEu2QN38fhWrrwb8ohez4ZG4AAAGLPgl9zQAABAMASDBGAiEA6ftZfoqljObk i4XrGPnqZrEcliXE+/MCZwehTCnHdjECIQDMVlRFLa3Hwr8PrqJQ7mpISIANmmqD noz9YIu3ZkJr3zANBgkqhkiG9w0BAQsFAAOCAgEACbeDKYpkmhPUUcRfzed5FzVH GvzE3aImOr9zcrivZS+5+DVeciAokNh63+SlJHJGYi6bIeGs68YEReY62Vb1hgiG PFH+PxXHrOqZPp+wxoGIr3JGAZfFaxgjaMIJ7yIUA42+BzrCyJop123BaSatx1vO KdW+aOX0va3Oj/QMRxEX/IiE1z3Tj19YaR6NeuRCEWgrE+H8pvMbSdROEnnqUPt5 s8YZ6BuR4c0mmvIftprpoP21f0u/4F6pv0ILR4XeK1PlHK6Sc2q5pNKvf5ETbHBz CGE0i8AWobT7sa9kM+wBP8W70ApbmOJSLqzlQ2dkkmky3rMH2r8dvCR1PLl7jFA9 ub8YFtmQ1JOp844qLS8ymCK9mB/A7QLZrSeEB4B9EiGApLl16vqpbhrdTkLX5xkA JWNipRPn/rMvQPzpA86/DrF+TT1DsVoCAh6uolgXXikmHQGrjhfkQhVUK/eP93WX eD2jLwc1sjLup5sBj28Z2xCds8IU8oYaPFvc2cH5XC4MQmswM9WC2YYtpw+fgD5f Az9/oizJomrI2HhaMkXmZnxPV9SfWZ8+yteqjglWohAI/W1hKrbIr516BDzrwmiX xqu554M+Sjnq1pSCdebrqJnO3a/nDgSReyQrzegGi/7XbG+WiJbW06a313pvbnwo uWwbUbDM/cPSMmmHRUA= -----END CERTIFICATE----- --- Server certificate subject=CN=*.atlas.gov.tr issuer=C=TR, O=E-TUGRA EBG BILISIM TEKNOLOJILERI VE HIZMETLERI ANONIM SIRKETI, CN=E-Tugra TLS RSA SubCA R1 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2350 bytes and written 409 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: A0A51934DBB3667C0B260C55370FDCFD5BBE322A2ACFABE05D5BD1F726535631 Session-ID-ctx: Resumption PSK: 2E673E93A3BA82D77B25A0394CC96446BD4FAC3F54E611D51B8978D6E4A857EE721D666FA0A14920CCBBE71C36D52000 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 52 94 0f 22 9d 23 e3 36-19 10 b3 3d 70 59 48 18 R..".#.6...=pYH. 0010 - a1 18 a7 49 f8 8f 77 48-5d 0d d5 c7 83 54 2d 29 ...I..wH]....T-) 0020 - 14 ae f8 aa 31 9b bb 7a-86 b1 84 4a 6e 06 89 db ....1..z...Jn... 0030 - ec 7d f5 eb 82 77 43 49-a8 bb fe af 73 bf dc 25 .}...wCI....s..% 0040 - b7 43 2c 44 fa c3 12 0f-1d f3 13 4b 96 f6 cc 4f .C,D.......K...O 0050 - d4 4d 72 7e 7b 78 26 6a-04 8b a5 65 67 de e2 ae .Mr~{x&j...eg... 0060 - 5b 10 02 0a ec 9b 74 81-d8 6c 6e b4 de ba 08 1c [.....t..ln..... 0070 - 2a bf 5c b9 90 70 87 a2-b9 b3 15 92 d6 e4 3d 74 *.\..p........=t 0080 - 0e b1 3a 6e ba 14 81 39-37 85 bd 23 a5 36 04 f5 ..:n...97..#.6.. 0090 - f0 10 c8 b7 cd 91 5e 1c-5d 14 01 02 9c 78 2d 14 ......^.]....x-. 00a0 - 45 5c 87 98 9b 23 38 31-cf 4c ea 61 7a c6 1f 5a E\...#81.L.az..Z 00b0 - 1b bd aa 38 e7 44 b9 1a-b6 df 7f 59 6e 7e 23 7c ...8.D.....Yn~#| 00c0 - 44 2c 68 2d 13 7b 05 2a-83 58 96 63 93 79 cf d9 D,h-.{.*.X.c.y.. 00d0 - 5c 44 e8 9f d4 d6 6b c0-5f 3b 39 65 ff 15 53 f1 \D....k._;9e..S. 00e0 - a6 08 d5 5f e9 a9 56 ae-ef ac 21 b8 a3 b0 6f cc ..._..V...!...o. Start Time: 1704121512 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: D25A43E346C6D03B1E29B56E4263E68FF5E7A05D1FE3F2918ED536EE72939B00 Session-ID-ctx: Resumption PSK: 3334039511E8E248D2228440BC813DEDE01F2B7DA6FDB54383FE15190EE1D7639ED53D88E767CC509D63CEA64603DB27 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 52 94 0f 22 9d 23 e3 36-19 10 b3 3d 70 59 48 18 R..".#.6...=pYH. 0010 - 47 99 54 a1 e8 9a c8 18-8d 07 ef 2a d5 f6 83 19 G.T........*.... 0020 - 64 db e2 40 83 59 2d 98-da 2a 16 39 a7 47 bb da d..@.Y-..*.9.G.. 0030 - 64 6e 53 10 09 20 29 a7-fe 50 4e da 51 62 8a 3c dnS.. )..PN.Qb.< 0040 - 39 6e 64 90 6b f1 a6 85-52 e9 2f 11 95 54 6d 0f 9nd.k...R./..Tm. 0050 - 2c 6f ca 92 17 21 5d f9-dd 62 c9 76 07 1a 8f b2 ,o...!]..b.v.... 0060 - 52 3d 1e e3 91 f5 8e e3-e5 b8 e0 a4 80 6e e4 f8 R=...........n.. 0070 - cb 9d 82 b3 a1 49 80 8e-fb 04 92 44 3e 2a 4c e1 .....I.....D>*L. 0080 - ae 12 a9 b4 7c 03 57 22-7d fa 4f 4d 99 87 85 37 ....|.W"}.OM...7 0090 - ec 8f 77 fa 2f 9d c7 83-c8 38 44 bc 8e 47 c2 56 ..w./....8D..G.V 00a0 - 06 23 21 14 8a 69 1c 89-b9 58 1c 36 90 44 b4 ed .#!..i...X.6.D.. 00b0 - b3 00 d1 05 f7 74 b5 39-e7 44 1c cf 25 27 3d 93 .....t.9.D..%'=. 00c0 - 11 fd 4a 86 be 70 0c 34-29 26 f2 be 34 ec a6 71 ..J..p.4)&..4..q 00d0 - e6 16 fd 7c 24 2b 18 6c-e9 4a 1b 40 41 3c 93 eb ...|$+.l.J.@A<.. 00e0 - dd 99 7b 8c 00 01 d3 d5-33 4a 5a 0f c0 8a 8d 89 ..{.....3JZ..... Start Time: 1704121512 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK
Yep, it's totally weird. I also wonder that too.
And, I didn't notice it at first but seems like OpenSSL throws out some errors while the browser (Firefox) does not throw any errors, at all.
comment:7 by , 13 months ago
Resolution: | → wontfix |
---|---|
Status: | reopened → closed |
I assume you need to download and install https://ssl.com/repo/certs/ETugra-TLS-I-RSA-R1.der (from this site https://www.ssl.com/repository/). Note that it is in DER format. You probably need to convert it first to .pem. Search for your system how to install certs. In the past you simply copied the pem file to /etc/ssl/certs and run c_rehash. That probably still works, but I'm sure it's not the preferred way nowadays.
We wont support this in JOSM, as it was removed from the list of trustworthy certs: https://github.com/advisories/GHSA-xqr8-7jwr-rhp7, https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
P.S. As it was removed for CA issues: It's probably better if you do no install the CA, but only the single cert itself. You can take this from the openssl output above.
Other solutions:
- Try http instead of https. Maybe it works
- Wait a bit. I'm sure they will switch to another cert provider.
Can neither ping nor connect to the server from different networks. It's either Geo-blocked or broken. In both cases there's nothing we can do.