hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: error matching ssl certificate
Date Fri, 17 May 2013 15:20:41 GMT
On Fri, 2013-05-17 at 08:49 -0400, Chris Cheshire wrote:
> Thanks for the wikipedia link - I have been scratching my head in confusion
> over this wondering why it wasn't using the Host header, and now it all
> makes sense.
> 
> I'm still running under TC6, so no Java 7 at the moment. Is there a
> solution for Java 6? 

None I know of.

> If not, I'll have to upgrade because getting another
> IP address is really just a bandaid (and a bad one at that) as I have a
> feeling I'm going to run into this problem again shortly.
> 
> How stable is the beta of HttpClient 4.3?
> 

It is quite stable for a BETA ;-) If you app is to go productive in a
few months I would strongly recommend migrating to 4.3 already. 4.3 GA
can be expected by mid Summer.

Oleg


> Thanks
> 
> Chris
> 
> 
> 
> 
> On Fri, May 17, 2013 at 3:52 AM, Oleg Kalnichevski <olegk@apache.org> wrote:
> 
> > On Wed, 2013-05-15 at 11:53 -0400, Chris Cheshire wrote:
> > > I have a single server configured hosting 3 domains, A.com, B.com, C.com,
> > > all with their own SSL certificates. Accessing these domains via a
> > browser
> > > and SSL all works just fine.
> > >
> > > However, the web app on B needs to process a callback from C over SSL. B
> > > has a wildcard certificate for *.B.com, and the production site is just
> > > B.com. My testing sandbox is at X.B.com. Both work fine with the
> > wildcard
> > > certificate in a browser.
> > >
> > > To send the callback I am using HttpClient 4.2.3 :
> > >
> > >         HttpClient httpClient = new DefaultHttpClient();
> > >
> > > httpClient.getParams().setParameter(CoreConnectionPNames.SO_TIMEOUT,
> > 30000);
> > >
> > >
> > httpClient.getParams().setParameter(CoreConnectionPNames.CONNECTION_TIMEOUT,
> > > 30000);
> > >
> > >         try {
> > >             URIBuilder builder = new URIBuilder(new URI("
> > > https://X.B.com/path));
> > >             URI uri = builder.build();
> > >             HttpGet get = new HttpGet(uri);
> > >             get.addHeader("User-Agent", "Mozilla/5.0");
> > >
> > >             HttpResponse response = httpClient.execute(get);
> > >             int statusCode = response.getStatusLine().getStatusCode();
> > >
> > >             if (statusCode == HttpServletResponse.SC_OK) {
> > >
> > >             }
> > >             else {
> > >
> > >             }
> > >         }
> > >         catch (IOException ex) {
> > >             this.log.error("error", ex);
> > >         }
> > >         catch (URISyntaxException ex) {
> > >             this.log.error("error", ex);
> > >         }
> > >         finally {
> > >             httpClient.getConnectionManager().shutdown();
> > >         }
> > >
> > >
> > > However, this throws the following exception :
> > >
> > > javax.net.ssl.SSLException: hostname in certificate didn't match: <
> > X.B.com>
> > > != <www.A.com> OR <www.A.com> OR <A.com>
> > >
> > > at
> > >
> > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
> > > ~[httpclient-4.2.3.jar:4.2.3]
> > >
> > >
> > > I even tried setting the Host header manually to "X.B.com" and it still
> > > didn't help (even though the docs say that this is set based upon the URI
> > > provided to HttpClient).
> > >
> > >
> > > What do I need to do to make the client negotiate the SSL connection for
> > > the correct host so that the correct SSL certificate is matched up?
> > Again,
> > > the wildcard certificate works just fine in a browser for both B.com and
> > > X.B.com, but not for HttpClient.
> > >
> >
> > I suspect this is due to SNI extensions [1] that are supported by the
> > browser but are not fully supported by Java.
> >
> > If your application is running on Oracle Java 1.7 you can activate SNI
> > support as described here [2].
> >
> > Please note the code snippet in the Wiki page is written using
> > HttpClient 4.3 APIs but a similar technique can be used with earlier
> > versions of HttpClient.
> >
> > Oleg
> >
> > [1] http://en.wikipedia.org/wiki/Server_Name_Indication
> > [2] https://wiki.apache.org/HttpComponents/SNISupport
> >
> > >
> > > Thanks
> > >
> > >
> > > Chris
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
> >



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message