API Authentication and China

100 Undead Rogue
20760
I was working on trying to figure out what to urlencode and what not to for the authentication signature (more on this in another post) and I found this oddity.

I was doing secure authenticated requests on characters on Chinese realms (random selection from arenajunkies.com) and instead of getting an error 500 (see above about urlencoding), I was getting a Java SSL handshake exception.

On the battlenet.com.cn host:

https://battlenet.com.cn/api/wow/character/军团要塞/Vopott?fields=professions,guild
https://battlenet.com.cn/api/wow/character/纳克萨玛斯/神起苍穹?fields=professions,guild

The same goes for the cn.battle.net host:

https://cn.battle.net/api/wow/character/军团要塞/Vopott?fields=professions,guild
https://cn.battle.net/api/wow/character/纳克萨玛斯/神起苍穹?fields=professions,guild

Even Firefox doesn't like it. Unsecure requests:

http://battlenet.com.cn/api/wow/character/军团要塞/Vopott?fields=professions,guild
http://battlenet.com.cn/api/wow/character/纳克萨玛斯/神起苍穹?fields=professions,guild

do work. Did I hit the so-called Great Firewall of China?

Here is the stack trace:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1074)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:133)
at ca.forklabs.wow.net.ARealTest.main(ARealTest.java:46)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:325)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:156)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
... 11 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:320)
... 17 more
Edited by Oscassey on 1/2/2012 9:55 PM PST
Reply Quote
100 Undead Rogue
20760
Another question related to China. Documentation at http://blizzard.github.com/api-wow-docs/#id3379927 suggests secure requests when using authentication.

What is the preferred method for China? Should one send keys in the clear? Should one only do un-authenticated requests? Do quota also apply to China? Something else?
Reply Quote
1 Troll Rogue
0
I was getting a Java SSL handshake exception.

On the battlent.com.cn host:

https://battlenet.com.cn/api/wow/character/军团要塞/Vopott?fields=professions,guild
https://battlenet.com.cn/api/wow/character/纳克萨玛斯/神起苍穹?fields=professions,guild

The same goes for the cn.battle.net host:

https://cn.battle.net/api/wow/character/军团要塞/Vopott?fields=professions,guild
https://cn.battle.net/api/wow/character/纳克萨玛斯/神起苍穹?fields=professions,guild

Even Firefox doesn't like it.

Read the "technical details" returned by Firefox. You'll see that https://battlenet.com.cn/ will return

battlenet.com.cn uses an invalid security certificate.

The certificate is only valid for *.battlenet.com.cn

So, use https://www.battlenet.com.cn/ and you won't get a certificate exception.
Edited by Ujournal on 1/2/2012 9:01 PM PST
Reply Quote
100 Undead Rogue
20760
01/02/2012 08:19 PMPosted by Ujournal
So, use https://www.battlenet.com.cn/ and you won't get a certificate exception.

Firefox doesn't give me errors, but Java still gives me the aforementionned exception.

Furthermore, the reputed InstallCert.java (from Sun no less) [1] cannot obtain the chain of certificates.

The only way I found to bypass that is to use the trick explained in this stack overflow question [2]. Implementing it and tracing gave me a couple more ideas, but they seem phony to me (i.e put the certificate in my distribution).

What is the preferred method for China? Should one send keys in the clear? Should one only do un-authenticated requests? Do quota also apply to China? Something else?


[1] https://www.google.com/search?q=installcert.java

[2] http://stackoverflow.com/questions/859111/how-do-i-accept-a-self-signed-certificate-with-a-java-httpsurlconnection
Reply Quote
85 Worgen Druid
6935
I was getting similar errors as the OP using C# -- an authentication exception using the china urls specified in the community API docs.

I switched the domain to https://www.battlenet.com.cn/ as suggested, and that resolved the issue for me, both in code and directly from a browser.

I don't know if that information helps you at all, Oscassey -- perhaps there is something else going on with the code, or Java is just pickier...
Reply Quote
92 Draenei Paladin
12550
mainly because the answer has been given...
Reply Quote
Battle.net Developer
The docs have been changed to list www.battlenet.com.cn as the host for china.
Edited by Peratryn on 4/19/2012 10:46 AM PDT
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]