hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Cheshire <cheshira...@gmail.com>
Subject Re: error matching ssl certificate
Date Fri, 17 May 2013 12:49:24 GMT
Thanks for the wikipedia link - I have been scratching my head in confusion
over this wondering why it wasn't using the Host header, and now it all
makes sense.

I'm still running under TC6, so no Java 7 at the moment. Is there a
solution for Java 6? If not, I'll have to upgrade because getting another
IP address is really just a bandaid (and a bad one at that) as I have a
feeling I'm going to run into this problem again shortly.

How stable is the beta of HttpClient 4.3?

Thanks

Chris




On Fri, May 17, 2013 at 3:52 AM, Oleg Kalnichevski <olegk@apache.org> wrote:

> On Wed, 2013-05-15 at 11:53 -0400, Chris Cheshire wrote:
> > I have a single server configured hosting 3 domains, A.com, B.com, C.com,
> > all with their own SSL certificates. Accessing these domains via a
> browser
> > and SSL all works just fine.
> >
> > However, the web app on B needs to process a callback from C over SSL. B
> > has a wildcard certificate for *.B.com, and the production site is just
> > B.com. My testing sandbox is at X.B.com. Both work fine with the
> wildcard
> > certificate in a browser.
> >
> > To send the callback I am using HttpClient 4.2.3 :
> >
> >         HttpClient httpClient = new DefaultHttpClient();
> >
> > httpClient.getParams().setParameter(CoreConnectionPNames.SO_TIMEOUT,
> 30000);
> >
> >
> httpClient.getParams().setParameter(CoreConnectionPNames.CONNECTION_TIMEOUT,
> > 30000);
> >
> >         try {
> >             URIBuilder builder = new URIBuilder(new URI("
> > https://X.B.com/path));
> >             URI uri = builder.build();
> >             HttpGet get = new HttpGet(uri);
> >             get.addHeader("User-Agent", "Mozilla/5.0");
> >
> >             HttpResponse response = httpClient.execute(get);
> >             int statusCode = response.getStatusLine().getStatusCode();
> >
> >             if (statusCode == HttpServletResponse.SC_OK) {
> >
> >             }
> >             else {
> >
> >             }
> >         }
> >         catch (IOException ex) {
> >             this.log.error("error", ex);
> >         }
> >         catch (URISyntaxException ex) {
> >             this.log.error("error", ex);
> >         }
> >         finally {
> >             httpClient.getConnectionManager().shutdown();
> >         }
> >
> >
> > However, this throws the following exception :
> >
> > javax.net.ssl.SSLException: hostname in certificate didn't match: <
> X.B.com>
> > != <www.A.com> OR <www.A.com> OR <A.com>
> >
> > at
> >
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
> > ~[httpclient-4.2.3.jar:4.2.3]
> >
> >
> > I even tried setting the Host header manually to "X.B.com" and it still
> > didn't help (even though the docs say that this is set based upon the URI
> > provided to HttpClient).
> >
> >
> > What do I need to do to make the client negotiate the SSL connection for
> > the correct host so that the correct SSL certificate is matched up?
> Again,
> > the wildcard certificate works just fine in a browser for both B.com and
> > X.B.com, but not for HttpClient.
> >
>
> I suspect this is due to SNI extensions [1] that are supported by the
> browser but are not fully supported by Java.
>
> If your application is running on Oracle Java 1.7 you can activate SNI
> support as described here [2].
>
> Please note the code snippet in the Wiki page is written using
> HttpClient 4.3 APIs but a similar technique can be used with earlier
> versions of HttpClient.
>
> Oleg
>
> [1] http://en.wikipedia.org/wiki/Server_Name_Indication
> [2] https://wiki.apache.org/HttpComponents/SNISupport
>
> >
> > Thanks
> >
> >
> > Chris
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message