square
NoSuchAlgorithmException: PKIX TrustManagerFactory not available
The folowing code:
private static final OkHttpClient okHttpClient = new OkHttpClient();
produces the following error, when run in openjdk 17 using okhttp3 version 4.10.0:
java.security.NoSuchAlgorithmException: PKIX TrustManagerFactory not available
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.base/javax.net.ssl.TrustManagerFactory.getInstance(TrustManagerFactory.java:164)
at okhttp3.internal.platform.Platform.platformTrustManager(Platform.kt:78)
at okhttp3.OkHttpClient.<init>(OkHttpClient.kt:237)
at okhttp3.OkHttpClient.<init>(OkHttpClient.kt:222)
java -version openjdk version "17.0.3" 2022-04-19 OpenJDK Runtime Environment (build 17.0.3+7-Ubuntu-0ubuntu0.22.04.1) OpenJDK 64-Bit Server VM (build 17.0.3+7-Ubuntu-0ubuntu0.22.04.1, mixed mode, sharing)
It suggests the following is failing, which is worrying. Have you changed any security config?
https://github.com/square/okhttp/blob/okhttp_4.10.x/okhttp/src/main/kotlin/okhttp3/internal/platform/Platform.kt#L78
val factory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm())
Not that I know of. This is a new AMI that devops prepared, because we're trying to move from java 8 to java 17, so there are lots of differences (like tomcat 9 instead of 7). Where would such security changes be in the filesystem?
It turned out that we have the following:
ssl.KeyManagerFactory.algorithm=SunX509 ssl.TrustManagerFactory.algorithm=PKIX
It's unlikely I can help from here, but we would expect that line of code above to execute, so can you confirm that first?
Yes according to the stacktrace it executes that line. I asked devops to remove those 2 lines from the security settings, so we'll soon try it with the default settings of the jre.