Jetty 11.0.26: HTTPS via HTTP proxy fails with PKIX path building unless SSL/truststore explicitly configured

[suraj-rajput-maker]

Hi team,

After upgrading from Jetty 11.0.5 to 11.0.26, HTTPS requests made through an HTTP proxy fail with an SSLHandshakeException.

Context -

Client: Jetty HttpClient used via Jersey’s Jetty connector
Jetty versions tested: 11.0.5 (works), 11.0.26 (fails)
JDK: 21
Target URL: https://docs.oracle.com/en/ (public CA-signed)
Proxy: standard HTTP proxy (no proxy TLS interception in the failing case)
Observed error (excerpt)
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

What changed?
With 11.0.5 and earlier, HTTPS over proxy appeared to use the JVM’s default truststore implicitly. Starting in 11.0.26, the same code fails.

Questions

Was there an intentional change in 11.0.26 that stopped implicitly using the JVM default trust store for HTTPS when a proxy is involved?

It appears that Jetty 11.0.16 introduced TLS/SSL hardening, although this is not clearly documented in the release notes: https://github.com/jetty/jetty.project/releases/tag/jetty-11.0.16

The test connects to https://docs.oracle.com/en/, which presents a TLS certificate signed by a publicly trusted CA. With Jetty 11.0.15 and earlier, the client implicitly used the JVM’s default truststore, but from 11.0.16 onward a custom truststore configuration seems required for HTTPS connections when using a proxy.

Are there any deprecations or API changes around proxy configuration and authentication in 11.0.26+ we should adopt to avoid warnings with Jersey’s Jetty connector?

Stack trace -

[ERROR] com.dummy.package.restclient.RestClientProxyTest.testHttpsURIAccessed -- Time elapsed: 0.909 s <<< ERROR!
jakarta.ws.rs.ProcessingException: java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at org.glassfish.jersey.jetty.connector.JettyConnector.apply(JettyConnector.java:149)
	at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:300)
	at org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:674)
	at org.glassfish.jersey.client.JerseyInvocation.call(JerseyInvocation.java:709)
	at org.glassfish.jersey.client.JerseyInvocation.lambda$runInScope$3(JerseyInvocation.java:703)
	at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
	at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
	at org.glassfish.jersey.internal.Errors.process(Errors.java:205)
	at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:390)
	at org.glassfish.jersey.client.JerseyInvocation.runInScope(JerseyInvocation.java:703)
	at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:673)
	at org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:413)
	at com.dummy.package.restclient.RestClientProxyTest.testHttpsURIAccessed(RestClientProxyTest.java:171)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
Caused by: java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at org.eclipse.jetty.client.util.FutureResponseListener.getResult(FutureResponseListener.java:113)
	at org.eclipse.jetty.client.util.FutureResponseListener.get(FutureResponseListener.java:96)
	at org.glassfish.jersey.jetty.connector.JettyConnector.apply(JettyConnector.java:130)
	... 15 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1318)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1195)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1138)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1273)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:714)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:657)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.flush(SslConnection.java:1064)
	at org.eclipse.jetty.io.WriteFlusher.flush(WriteFlusher.java:422)
	at org.eclipse.jetty.io.WriteFlusher.completeWrite(WriteFlusher.java:377)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.lambda$fill$1(SslConnection.java:838)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
	at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
	at java.base/sun.security.validator.Validator.validate(Validator.java:256)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1296)
	... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
	... 22 more

[joakime]

Jetty 11 is at EOL.

• EOL (End of Life) for Eclipse Jetty 9, 10, 11 and CometD 5, 6, 7 - Update (Oct, 2025) #13984

[joakime]

Your issues have to do with things outside of the control of Jetty.

• your JVM has the rules for certificate validation (not Jetty).
• your JVM might be using the OS level cacerts which is updated on a different schedule than the JVM.
• the remote certificates on whatever server you are attempting to connect to could have updated its certificate to make it no longer compatible with your combination of JVM + OS cacerts.

When working with TLS / SSL on the public internet, it is advisable to always keep your OS cacerts and the JVM up to date for maximum compatibility with the rapidly changing encryption landscape.

https://www.java.com/en/jre-jdk-cryptoroadmap.html

[suraj-rajput-maker]

Hi @joakime
Sorry for delayed response as I was out sick for few weeks.

This does not appear to be a JDK issue. Using the exact same JDK and identical JVM/system properties, the behaviour changes between Jetty 11.0.15 (works) and 11.0.16+ (fails) for HTTPS over an HTTP proxy when no explicit SSL/truststore is configured.

Observation

11.0.15: succeeds without explicit truststore/SSLContext
11.0.16+: [ERROR] RestClientProxyTest.testHttpsURIAccessed:171 ? Processing java.util.concurrent.ExecutionException: java.net.SocketTimeoutException: Connect Timeout

Here is the test case that is failing ->

Test
    @DisplayName("Verify successful access of Https URI.")
    void testHttpsURIAccessed() throws InterruptedException {

        configureHttpsAndHttpProxy();
//configures properties like (KEY_HTTPS_PROXY_HOST, "emeacache.uk.oracle.com") && (KEY_HTTP_PROXY_HOST, "www-proxy-ams.nl.oracle.com")

        for (int i = 0; i < 10; i++) {

            Client client = restClientFactory.getRestClient(null, null, None, null);

            assertEquals(1, JettyConnectorProvider.getHttpClient(client).getProxyConfiguration().getProxies().size());
            assertEquals(System.getProperty(KEY_HTTPS_PROXY_HOST),
                    JettyConnectorProvider.getHttpClient(client).getProxyConfiguration().getProxies().getFirst().getAddress()
                            .getHost());

    
            Response response = client.target("https://docs.oracle.com/en/").request().method("GET");
            assertThat("Response code should be 200", response.getStatus() == 200);
            response.readEntity(String.class);
            response.close();
        }

        clearHttpsAndHttpProxy(); // clears the system properties
    }

Test Steps:

1. Configure HTTPS and HTTP Proxy: The configureHttpsAndHttpProxy() method is called to set up the proxy configuration.
2. Loop 10 times: The test loops 10 times using a for loop.
3. Create a new REST client: Inside the loop, a new instance of Client is created using the restClientFactory.getRestClient() method, passing null values for some parameters.
4. Verify proxy configuration: Two assertions are made:
5. assertEquals(1, JettyConnectorProvider.getHttpClient(client).getProxyConfiguration().getProxies().size()): Verifies that there is exactly one proxy configured.
6. assertEquals(System.getProperty(KEY_HTTPS_PROXY_HOST), ...): Verifies that the proxy host matches the expected value stored in a system property (KEY_HTTPS_PROXY_HOST).
7. Send a GET request to an HTTPS URI: A GET request is sent to "https://docs.oracle.com/en/" using the client.target() method.
8. Verify response status code: An assertion checks that the response status code is 200 (OK) using assertThat.
9. Read response entity: The response entity is read as a string using response.readEntity(String.class).
10. Close the response: The response is closed using response.close().
11. Repeat steps 3-8: The loop repeats 9 more times.
12. Clear HTTPS and HTTP Proxy: After the loop completes, the clearHttpsAndHttpProxy() method is called to clean up the proxy configuration.

[joakime]

Jetty 11 is EOL.

• EOL (End of Life) for Jetty 10 / Jetty 11 - January 2025 #10485
• EOL (End of Life) for Eclipse Jetty 9, 10, 11 and CometD 5, 6, 7 - Update (Oct, 2025) #13984

Upgrade to a supported version of Jetty for further open source help.
As of this writing, that would be Jetty 12.1.4

[suraj-rajput-maker]

Hi @joakime
Thank you for your quick response.
The above issue is resolved by upgrading to jetty 12.1.4.

Right now we are facing issue with jersey compatibility with jetty & we are trying to resolve that.
Thanks again for helping us out.

[suraj-rajput-maker]

Hi @joakime ,

Apologies for the previous message—it seems the issue persists even after upgrading to Jersey 12.1.4 or 12.0.30.

I've attached a standalone test for your reference: [jetty-client-test.zip].

Observation: The test com.example.JettyHttpsProxyTest.testProxySelectorHttpProxyWithHttpsAndHttpSystemProperty fails only when both https.proxyHost and http.proxyHost system properties are set, while using the custom ProxySelectorHttpProxy. This class is designed to honor the standard JDK proxy properties https.proxyHost and http.proxyHost. Notably, the method RestClientFactoryImpl#configureProxySupport prioritizes https.proxyHost when both are configured.

Environment Details:

JDK: 21
Jersey: 12.1.4 or 12.0.30 (tried both)
Jakarta EE: 9.1
Jersey Client: 3.0.17 or 3.1.7 (tried both)

jetty-client-test.zip

[sbordet]

Jetty does not honor the https.proxyHost or the http.proxyHost system properties.
I'm not sure whether Jersey does it, but apparently not so.

Forward proxies must be configured explicitly in the code.