Is there any known issue with OpenJDK 8 (1.8.0_232) and some HTTPS connections causing HTTP error 403?

2
votes

When running Saxon 9.9.1.6 HE with Java 1.8.0_232 (java -version outputs

openjdk version "1.8.0_232"
OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_232-b09)
OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.232-b09, mixed mode)

) and the command line java -cp 'C:\Program Files\Saxonica\Saxon9.9HE\saxon9he.jar' net.sf.saxon.Query -t .\harry-potter-api-ex1.xq to run an XQuery program trying to access https://www.potterapi.com/v1/sortingHat I always get an error FOUT1170: Server returned HTTP response code: 403 for URL: https://www.potterapi.com/v1/sortingHat.

Running Java 12.0.1 (java -version output

openjdk version "12.0.1" 2019-04-16
OpenJDK Runtime Environment (build 12.0.1+12)
OpenJDK 64-Bit Server VM (build 12.0.1+12, mixed mode)

) on the same machine with the same Saxon version the query always works/is able to make the HTTPS access.

Is there any known issue with Java 8/1.8 that could cause this? Is anyone using Oracle JRE 1.8 getting the same error?

The XQuery file is 

declare namespace map = "http://www.w3.org/2005/xpath-functions/map";
declare namespace array = "http://www.w3.org/2005/xpath-functions/array";

declare namespace output = "http://www.w3.org/2010/xslt-xquery-serialization";

declare option output:method 'json';
declare option output:indent 'yes';


json-doc('https://www.potterapi.com/v1/sortingHat')

I have tested some other HTTPS connections with Saxon and Java 8/1.8 and they do work but I for the given URL I always get the error with Java 8/1.8 and no error with Java 12.

BaseX also gives me [FOUT1170] Resource 'https://www.potterapi.com/v1/sortingHat' cannot be retrieved. when running with Java 8 and runs the query fine with Java 12.

I also tried some Java code now

    System.out.println(System.getProperty("java.version"));

    URL url = new URL("https://www.potterapi.com/v1/sortingHat");

    HttpURLConnection con = (HttpURLConnection)url.openConnection();

    try {
        con.connect();
        System.out.println(con.getResponseCode());
    }
    finally {
        con.disconnect();
    }

and the output is

1.8.0_232
403

for Java 1.8 and

12.0.1
200

Any idea what could be causing the 403 with Java 1.8/8?

1
javaxquerysaxonbasex

1 Answers

5
votes

This is a certificate / CA trust issue.

If you check the certificate of the https://www.potterapi.com/v1/sortingHat (e.g. by opening the url in a browser and click on the padlock icon) you will find that it was issued by COMODO ECC Domain Validation Secure Server CA 2.

Next, if you check the content of JEP 319: Root Certificates you will find that Comodo (and other CAs) were added to OpenJDK as part of Java 10. Consequently, since older Java versions such as Java 8 does not have the Comodo CA in its certificate chain, the server (potterapi in this example) will reject it during the TLS handshake and respond with 403 - Forbidden.