SSL Handshake Exception During CMSIS Pack Download

The issue at hand involves a failure in the SSL handshake process when attempting to download the CMSIS pack using ARM Development Studio 2020.0. The specific error message is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. This error indicates that the Java runtime environment (JRE) used by ARM Development Studio is unable to establish a secure connection to the server hosting the CMSIS pack due to a missing or invalid SSL certificate.

The error is rooted in the Java Secure Socket Extension (JSSE) framework, which is responsible for providing SSL and TLS protocols for secure communication. When the JRE attempts to establish a secure connection, it validates the server’s SSL certificate against a set of trusted certificates stored in a keystore file, typically located at java/lib/security/cacerts. If the server’s certificate is not signed by a trusted Certificate Authority (CA) or if the CA’s certificate is not present in the keystore, the JRE throws the SunCertPathBuilderException.

In the context of ARM Development Studio, the JRE bundled with the software is used to manage various tasks, including downloading software packs like CMSIS. The error suggests that the JRE’s keystore does not contain the necessary CA certificates to validate the server’s SSL certificate. This could be due to several reasons, such as an outdated keystore, a missing CA certificate, or an issue with the server’s certificate chain.

Outdated Keystore and Missing CA Certificates

One of the primary causes of the SSL handshake failure is an outdated keystore in the JRE bundled with ARM Development Studio. The keystore file, cacerts, contains a collection of trusted CA certificates that are used to validate SSL certificates presented by servers. Over time, new CAs emerge, and existing CAs may update their certificates. If the keystore is not updated regularly, it may lack the necessary CA certificates to validate newer SSL certificates, leading to the SunCertPathBuilderException.

Another potential cause is the absence of a specific CA certificate required to validate the server’s SSL certificate. The server hosting the CMSIS pack may be using a certificate signed by a CA that is not included in the default keystore. This can happen if the CA is relatively new or if the server is using a certificate from a private or internal CA that is not widely recognized.

Additionally, the server’s SSL certificate chain may be incomplete or improperly configured. A certificate chain consists of the server’s certificate, intermediate CA certificates, and the root CA certificate. If any of these certificates are missing or incorrectly configured, the JRE may be unable to build a valid certification path, resulting in the SunCertPathBuilderException.

Updating the Keystore and Importing Missing CA Certificates

To resolve the SSL handshake failure, the first step is to update the keystore in the JRE bundled with ARM Development Studio. The keystore can be updated by downloading the latest version of the cacerts file from a trusted source or by manually importing the missing CA certificates. The keystore file is typically located at xxx\Arm\Development Studio 2020.0\sw\java\lib\security\cacerts.

To update the keystore, follow these steps:

  1. Download the Latest Keystore: Obtain the latest version of the cacerts file from a trusted source, such as the official Oracle website or the OpenJDK project. Ensure that the downloaded keystore is compatible with the version of the JRE used by ARM Development Studio.

  2. Backup the Existing Keystore: Before replacing the existing keystore, create a backup of the current cacerts file. This allows you to revert to the original keystore if any issues arise during the update process.

  3. Replace the Keystore: Replace the existing cacerts file with the newly downloaded version. Ensure that the file permissions are set correctly to allow the JRE to access the keystore.

  4. Verify the Update: Restart ARM Development Studio and attempt to download the CMSIS pack again. If the keystore update was successful, the SSL handshake should complete without errors.

If updating the keystore does not resolve the issue, the next step is to manually import the missing CA certificates. This process involves obtaining the CA certificate required to validate the server’s SSL certificate and adding it to the keystore.

To manually import a CA certificate, follow these steps:

  1. Obtain the CA Certificate: Download the CA certificate from the CA’s official website or obtain it from the server administrator. Ensure that the certificate is in the correct format (typically .crt or .pem).

  2. Import the Certificate: Use the keytool utility, which is included with the JRE, to import the CA certificate into the keystore. The following command can be used to import the certificate:

    keytool -import -trustcacerts -file <path_to_certificate> -keystore <path_to_keystore> -alias <alias_name>

    Replace <path_to_certificate> with the path to the CA certificate, <path_to_keystore> with the path to the cacerts file, and <alias_name> with a unique alias for the certificate.

  3. Verify the Import: After importing the certificate, verify that it has been added to the keystore using the following command:

    keytool -list -keystore <path_to_keystore> -alias <alias_name>

    This command should display the details of the imported certificate.

  4. Restart ARM Development Studio: Restart ARM Development Studio and attempt to download the CMSIS pack again. If the CA certificate was correctly imported, the SSL handshake should complete successfully.

If the issue persists after updating the keystore and importing the necessary CA certificates, it may be necessary to investigate the server’s SSL certificate chain. Ensure that the server’s certificate chain is complete and correctly configured. If any intermediate or root CA certificates are missing, they should be added to the keystore following the same process as above.

In summary, the SSL handshake failure in ARM Development Studio 2020.0 is primarily caused by an outdated keystore or missing CA certificates. By updating the keystore and importing the necessary CA certificates, the issue can be resolved, allowing for successful downloads of the CMSIS pack. If the problem persists, further investigation into the server’s SSL certificate chain may be required.

Similar Posts

the 1-bit ACTIVE Signal in ARM Power Policy Unit Architecture

the 1-bit ACTIVE Signal in ARM Power Policy Unit Architecture

BySystem on Chips

ARM Power Policy Unit Q-Channel ACTIVE Signal and Power Mode Mapping The ARM Power Policy Unit (PPU) architecture is a critical component in modern ARM-based SoCs, enabling efficient power management by controlling transitions between different power modes. The Q-Channel interface, a key part of the PPU, includes a 1-bit ACTIVE signal that plays a pivotal

Excessive Secondary Core Boot Delay on ARMv8 Zynq MPSoC Platforms

Excessive Secondary Core Boot Delay on ARMv8 Zynq MPSoC Platforms

BySystem on Chips

ARM Cortex-A53 Secondary Core Boot Latency of 466ms During PSCI SMC Call The issue at hand involves an unusually high latency of approximately 466ms when booting secondary Cortex-A53 cores on an ARMv8-based Zynq MPSoC platform. The primary core boots the kernel in just 74ms, but the secondary cores take significantly longer to reach their entry

ARM TrustZone Implementation Challenges and Device Compatibility Issues

ARM TrustZone Implementation Challenges and Device Compatibility Issues

BySystem on Chips

ARM TrustZone Isolation and Secure Boot Limitations in Raspberry Pi ARM TrustZone is a hardware-based security feature embedded in ARM processors, designed to create isolated execution environments for secure and non-secure worlds. This isolation ensures that sensitive operations, such as cryptographic key management or secure boot processes, are protected from potential attacks. However, not all

DCIMVAC and DCCIMVAC: Cache Maintenance Operations in ARM Cortex-A53

DCIMVAC and DCCIMVAC: Cache Maintenance Operations in ARM Cortex-A53

BySystem on Chips

ARM Cortex-A53 Cache Maintenance Operations: DCIMVAC vs. DCCIMVAC The ARM Cortex-A53 processor, a widely used core in embedded systems, implements sophisticated cache maintenance operations to ensure data consistency and system performance. Two such operations, DCIMVAC (Data Cache Invalidate by Modified Virtual Address to PoC) and DCCIMVAC (Data Cache Clean and Invalidate by Modified Virtual Address

Large ZI Data in STM32F103C8 Empty Main Function Compilation

Large ZI Data in STM32F103C8 Empty Main Function Compilation

BySystem on Chips

ARM Cortex-M4 Zero-Initialized Data Allocation in Minimal Keil Project When compiling an empty main function for the STM32F103C8 microcontroller using Keil ARM, the program size report indicates a surprisingly large Zero-Initialized (ZI) data section. Specifically, the output shows: Code: 648 bytes RO-data: 252 bytes RW-data: 0 bytes ZI-data: 1632 bytes The ZI-data section, which represents

ARM Cortex-M55 System Counter & System Timer Register Map Accessibility and Usage

ARM Cortex-M55 System Counter & System Timer Register Map Accessibility and Usage

BySystem on Chips

ARM Cortex-M55 System Counter and System Timer Register Map Accessibility The ARM Cortex-M55 processor incorporates a sophisticated System Counter and System Timer, which are critical for real-time operations and system synchronization. The System Counter provides a continuous timebase, while the System Timer generates periodic interrupts based on this timebase. These components are essential for tasks

Leave a Reply

Your email address will not be published. Required fields are marked *