This server's certificate chain is incomplete. Grade capped to B with openssl ,but jdk was not

up vote
0
down vote

favorite

I got "This server's certificate chain is incomplete. Grade capped to B" tip on ssl test when I use openssl,but I got full cert chain when I use jdkssl.

Is the feature of openssl or my configuration incorrect?

Following is validate the code of client.

SSLContext context = SSLContext.getInstance("TLS");
 X509TrustManager x509m = new X509TrustManager() 

 @Override
 public X509Certificate getAcceptedIssuers() 
 System.out.println("getAcceptedIssuers......");
 return null;
 

 @Override
 public void checkServerTrusted(X509Certificate chain, String authType)
 throws CertificateException 
 System.out.println("checkServerTrusted......");
 //When I use jdkssl the chain'value is all of my server configured.
 //But when openssl the chain'value only one
 //Why this happened? is my server configuration incorrect or this is openssl's feature?
 

 @Override
 public void checkClientTrusted(X509Certificate chain, String authType)
 throws CertificateException 
 System.out.println("checkClientTrusted......");

 
 ;
 context.init(null, new TrustManager x509m , new SecureRandom());

edited Nov 9 at 6:52

Gayan Mettananda

46037

asked Nov 9 at 6:46

wk_wk

OpenSSL (libssl) server can serve a single cert, a full chain, anything in between, or even extra certs that aren't needed, depending on the application or its middleware and for most applications or middleware depending on their configuration(s), so yes it's your code and/or configuration. PS: you don't need a hacked trustmanager to see the server's offered cert(s), just use keytool -printcert -sslserver host[:port] or openssl s_client -connect host:port [-servername host]
– dave_thompson_085
Nov 9 at 11:15

you are right, it is beacause of the application, I use the wildfly-openssl,the code of set cert is: ------------------------------------------------------ X509Certificate certificate = keyManager.getCertificateChain(alias)[0]; ........ SSL.getInstance().setCertificate(ctx, certificate.getEncoded().....); ------------------------------------------------------ I dont know if this mean it only set the one of the full chain list. I am trying to contact the author of wildfly-openssl.
– wk_wk
Nov 15 at 2:20

Change the software version from 1.0.4.Final to 1.0.6.Final is ok, from 1.0.6.Final there is no "artifactId:wildfly-openssl" but have "artifactId:wildfly-openssl-java&wildfly-openssl-linux-x86_64",thank you!
– wk_wk
Nov 15 at 5:27

add a comment |

up vote
0
down vote

favorite

I got "This server's certificate chain is incomplete. Grade capped to B" tip on ssl test when I use openssl,but I got full cert chain when I use jdkssl.

Is the feature of openssl or my configuration incorrect?

Following is validate the code of client.

SSLContext context = SSLContext.getInstance("TLS");
 X509TrustManager x509m = new X509TrustManager() 

 @Override
 public X509Certificate getAcceptedIssuers() 
 System.out.println("getAcceptedIssuers......");
 return null;
 

 @Override
 public void checkServerTrusted(X509Certificate chain, String authType)
 throws CertificateException 
 System.out.println("checkServerTrusted......");
 //When I use jdkssl the chain'value is all of my server configured.
 //But when openssl the chain'value only one
 //Why this happened? is my server configuration incorrect or this is openssl's feature?
 

 @Override
 public void checkClientTrusted(X509Certificate chain, String authType)
 throws CertificateException 
 System.out.println("checkClientTrusted......");

 
 ;
 context.init(null, new TrustManager x509m , new SecureRandom());

edited Nov 9 at 6:52

Gayan Mettananda

46037

asked Nov 9 at 6:46

wk_wk

OpenSSL (libssl) server can serve a single cert, a full chain, anything in between, or even extra certs that aren't needed, depending on the application or its middleware and for most applications or middleware depending on their configuration(s), so yes it's your code and/or configuration. PS: you don't need a hacked trustmanager to see the server's offered cert(s), just use keytool -printcert -sslserver host[:port] or openssl s_client -connect host:port [-servername host]
– dave_thompson_085
Nov 9 at 11:15

you are right, it is beacause of the application, I use the wildfly-openssl,the code of set cert is: ------------------------------------------------------ X509Certificate certificate = keyManager.getCertificateChain(alias)[0]; ........ SSL.getInstance().setCertificate(ctx, certificate.getEncoded().....); ------------------------------------------------------ I dont know if this mean it only set the one of the full chain list. I am trying to contact the author of wildfly-openssl.
– wk_wk
Nov 15 at 2:20

Change the software version from 1.0.4.Final to 1.0.6.Final is ok, from 1.0.6.Final there is no "artifactId:wildfly-openssl" but have "artifactId:wildfly-openssl-java&wildfly-openssl-linux-x86_64",thank you!
– wk_wk
Nov 15 at 5:27

add a comment |

up vote
0
down vote

favorite

I got "This server's certificate chain is incomplete. Grade capped to B" tip on ssl test when I use openssl,but I got full cert chain when I use jdkssl.

Is the feature of openssl or my configuration incorrect?

Following is validate the code of client.

SSLContext context = SSLContext.getInstance("TLS");
 X509TrustManager x509m = new X509TrustManager() 

 @Override
 public X509Certificate getAcceptedIssuers() 
 System.out.println("getAcceptedIssuers......");
 return null;
 

 @Override
 public void checkServerTrusted(X509Certificate chain, String authType)
 throws CertificateException 
 System.out.println("checkServerTrusted......");
 //When I use jdkssl the chain'value is all of my server configured.
 //But when openssl the chain'value only one
 //Why this happened? is my server configuration incorrect or this is openssl's feature?
 

 @Override
 public void checkClientTrusted(X509Certificate chain, String authType)
 throws CertificateException 
 System.out.println("checkClientTrusted......");

 
 ;
 context.init(null, new TrustManager x509m , new SecureRandom());

edited Nov 9 at 6:52

Gayan Mettananda

46037

asked Nov 9 at 6:46

wk_wk

I got "This server's certificate chain is incomplete. Grade capped to B" tip on ssl test when I use openssl,but I got full cert chain when I use jdkssl.

Is the feature of openssl or my configuration incorrect?

Following is validate the code of client.

SSLContext context = SSLContext.getInstance("TLS");
 X509TrustManager x509m = new X509TrustManager() 

 @Override
 public X509Certificate getAcceptedIssuers() 
 System.out.println("getAcceptedIssuers......");
 return null;
 

 @Override
 public void checkServerTrusted(X509Certificate chain, String authType)
 throws CertificateException 
 System.out.println("checkServerTrusted......");
 //When I use jdkssl the chain'value is all of my server configured.
 //But when openssl the chain'value only one
 //Why this happened? is my server configuration incorrect or this is openssl's feature?
 

 @Override
 public void checkClientTrusted(X509Certificate chain, String authType)
 throws CertificateException 
 System.out.println("checkClientTrusted......");

 
 ;
 context.init(null, new TrustManager x509m , new SecureRandom());

java openssl ssl-certificate keychain

edited Nov 9 at 6:52

Gayan Mettananda

46037

asked Nov 9 at 6:46

wk_wk

edited Nov 9 at 6:52

Gayan Mettananda

46037

asked Nov 9 at 6:46

wk_wk

edited Nov 9 at 6:52

Gayan Mettananda

46037

edited Nov 9 at 6:52

Gayan Mettananda

46037

edited Nov 9 at 6:52

Gayan Mettananda

46037

asked Nov 9 at 6:46

wk_wk

asked Nov 9 at 6:46

wk_wk

asked Nov 9 at 6:46

wk_wk

OpenSSL (libssl) server can serve a single cert, a full chain, anything in between, or even extra certs that aren't needed, depending on the application or its middleware and for most applications or middleware depending on their configuration(s), so yes it's your code and/or configuration. PS: you don't need a hacked trustmanager to see the server's offered cert(s), just use keytool -printcert -sslserver host[:port] or openssl s_client -connect host:port [-servername host]
– dave_thompson_085
Nov 9 at 11:15

you are right, it is beacause of the application, I use the wildfly-openssl,the code of set cert is: ------------------------------------------------------ X509Certificate certificate = keyManager.getCertificateChain(alias)[0]; ........ SSL.getInstance().setCertificate(ctx, certificate.getEncoded().....); ------------------------------------------------------ I dont know if this mean it only set the one of the full chain list. I am trying to contact the author of wildfly-openssl.
– wk_wk
Nov 15 at 2:20

Change the software version from 1.0.4.Final to 1.0.6.Final is ok, from 1.0.6.Final there is no "artifactId:wildfly-openssl" but have "artifactId:wildfly-openssl-java&wildfly-openssl-linux-x86_64",thank you!
– wk_wk
Nov 15 at 5:27

add a comment |

OpenSSL (libssl) server can serve a single cert, a full chain, anything in between, or even extra certs that aren't needed, depending on the application or its middleware and for most applications or middleware depending on their configuration(s), so yes it's your code and/or configuration. PS: you don't need a hacked trustmanager to see the server's offered cert(s), just use keytool -printcert -sslserver host[:port] or openssl s_client -connect host:port [-servername host]
– dave_thompson_085
Nov 9 at 11:15

you are right, it is beacause of the application, I use the wildfly-openssl,the code of set cert is: ------------------------------------------------------ X509Certificate certificate = keyManager.getCertificateChain(alias)[0]; ........ SSL.getInstance().setCertificate(ctx, certificate.getEncoded().....); ------------------------------------------------------ I dont know if this mean it only set the one of the full chain list. I am trying to contact the author of wildfly-openssl.
– wk_wk
Nov 15 at 2:20

Change the software version from 1.0.4.Final to 1.0.6.Final is ok, from 1.0.6.Final there is no "artifactId:wildfly-openssl" but have "artifactId:wildfly-openssl-java&wildfly-openssl-linux-x86_64",thank you!
– wk_wk
Nov 15 at 5:27

OpenSSL (libssl) server can serve a single cert, a full chain, anything in between, or even extra certs that aren't needed, depending on the application or its middleware and for most applications or middleware depending on their configuration(s), so yes it's your code and/or configuration. PS: you don't need a hacked trustmanager to see the server's offered cert(s), just use keytool -printcert -sslserver host[:port] or openssl s_client -connect host:port [-servername host]
– dave_thompson_085
Nov 9 at 11:15

you are right, it is beacause of the application, I use the wildfly-openssl,the code of set cert is: ------------------------------------------------------ X509Certificate certificate = keyManager.getCertificateChain(alias)[0]; ........ SSL.getInstance().setCertificate(ctx, certificate.getEncoded().....); ------------------------------------------------------ I dont know if this mean it only set the one of the full chain list. I am trying to contact the author of wildfly-openssl.
– wk_wk
Nov 15 at 2:20

Change the software version from 1.0.4.Final to 1.0.6.Final is ok, from 1.0.6.Final there is no "artifactId:wildfly-openssl" but have "artifactId:wildfly-openssl-java&wildfly-openssl-linux-x86_64",thank you!
– wk_wk
Nov 15 at 5:27

add a comment |

active

oldest

votes

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53221018%2fthis-servers-certificate-chain-is-incomplete-grade-capped-to-b-with-openssl-b%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

active

oldest

votes

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

Some of your past answers have not been well-received, and you're in danger of being blocked from answering.

Please pay close attention to the following guidance:

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Dfyjkt