Type: Feature Request
Resolution: No Resources
Affects Version/s: None
Fix Version/s: None
Just throwing this out there to see if anyone's thought about it.
We sometimes have an issue where in the middle of the day either an automated or manual process will change the certificate on an LDAP SSL endpoint. This causes the continuing stack trace
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.novell.ldap.Connection.writeMessage(Unknown Source)
Until the server is restarted, even if the new certificate is added to be trusted. (For example with this script http://nodsw.com/blog/leeland/2006/12/06-no-more-unable-find-valid-certification-path-requested-target)
I believe we could use a custom dynamic trust store (http://jcalcote.wordpress.com/2010/06/22/managing-a-dynamic-java-trust-store/) which would reload these certificates and allow the server to continue on without having to be restarted.
Here's the process I think this would need.
Include the code for this dynamic trust store
Wrap it in a custom class that extends SSLSocketFactory
Pass this SSLSocketFactory LDAP and set it
Haven't actually tried any of this yet, maybe someone else has, or has run into this? We could probably put a "trust all" class too, but this seems safer.