1

I am trying to connect to a REST webservice using HTTPClient / URLConnection. Its a simple code that works fine in jdk 1.7 but throws a SSLHandshake Exception while using jdk1.6

    IO Exception:  javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching your.domain.name.com found.
...

    Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching your.domain.name.com found.

Also, the code is very basic

URL url = new URL("https://your.domain.name.com/services/");
HttpsURLConnection   urlConnection = (HttpsURLConnection) url.openConnection();
urlConnection.setRequestProperty("Authorization", "Basic " + encodedCredenials);
urlConnection.setRequestProperty("Content-Type", "application/vnd.mtdomain.gold+json");
InputStream is = urlConnection.getInputStream();

Is this a known issue between jdk 1.6 and 1.7 ? How can we get this fixed ? I am not much fluent with SSL related issues.

Riju Mahna
  • 6,718
  • 12
  • 52
  • 91
  • What is the URL you are invoking and what was the certificate which was presented ? The host name verification appears to be failing. – Deepak Bala Feb 17 '15 at 11:14
  • I guess this is related to the missing support for SNI in JDK1.6. You probably get the wrong certificate. – Steffen Ullrich Feb 17 '15 at 11:15
  • @DeepakBala There was no certificate related code done while connection to this service. I've updated the question with my code – Riju Mahna Feb 17 '15 at 11:22
  • @RijuMahna: You're trying to connect to a HTTPS address. So JDK is handling SSL handshake internally for you. – zaerymoghaddam Feb 17 '15 at 13:52
  • We'd still need to see the certificate and the domain name you are trying to contact. Steffen is talking about this [bug](http://bugs.java.com/view_bug.do?bug_id=6985179) that was fixed in JDK7. I'm not sure how SNI would work without the client providing the server_name in it's `hello` and how Java handles this. If you provide the domain name and the certificate chain involved, it would narrow the problem down. – Deepak Bala Feb 17 '15 at 14:02
  • When you run with -Djavax.net.debug=all VM argument, you can collect SSL debug logs on console. That would give clue. – Manish Maheshwari Feb 17 '15 at 22:36
  • @RijuMahna Did you fix it? I am having the same issue. – Redone Nov 29 '16 at 11:23

1 Answers1

0

This issue might be happened due to the below reasons (wrong url, corruped certificate or not valid certificate).

To install the certifcate please use the below syntax.

Default Keystore Installing Certificate to the Default Keystore (JDK cacerts) 1. Export the certificate from the server (.cer) 2. Open command prompt and go to JAVA_HOME/jre/lib/security 3. Execute the following command

Windows

keytool -import -v -alias -keystore cacerts -file \.cer

Password: changeit

Unix

/bin/keytool -import -v -alias -keystore cacerts -file \.cer

Password: changeit

  1. Select option ‘yes’ and press enter

Custom Keystore Installing Certificate to the Custom Keystore 1. Export the certificate from the server (.cer) 2. Open command prompt and go the location where you want to create your custom keystore 3. Execute the following command Windows keytool -import -v -trustcacerts -alias -file \.cer -keystore .jks -keypass changeit Password: changeit

Unix /bin/ keytool -import -v -trustcacerts -alias -file \.cer -keystore .jks -keypass changeit Password: changeit

  1. Select option ‘yes’ and press enter

Add the following System variables when invoking Custom Keystore

-Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.TrustKeyStore=CustomTrust -
Dweblogic.security.CustomTrustKeyStoreFileName=<location>/<keystore-name>.jks -Djavax.net.ssl.trustStore=<location>/<keystore-name>.jks -Djavax.net.ssl.trustStorePassword=changeit
Dharmesh Dhorajiya
  • 3,976
  • 9
  • 30
  • 39
Manoj kumar
  • 1
  • 1