You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Chris Cheshire <ch...@gmail.com> on 2013/05/15 17:53:41 UTC
error matching ssl certificate
I have a single server configured hosting 3 domains, A.com, B.com, C.com,
all with their own SSL certificates. Accessing these domains via a browser
and SSL all works just fine.
However, the web app on B needs to process a callback from C over SSL. B
has a wildcard certificate for *.B.com, and the production site is just
B.com. My testing sandbox is at X.B.com. Both work fine with the wildcard
certificate in a browser.
To send the callback I am using HttpClient 4.2.3 :
HttpClient httpClient = new DefaultHttpClient();
httpClient.getParams().setParameter(CoreConnectionPNames.SO_TIMEOUT, 30000);
httpClient.getParams().setParameter(CoreConnectionPNames.CONNECTION_TIMEOUT,
30000);
try {
URIBuilder builder = new URIBuilder(new URI("
https://X.B.com/path));
URI uri = builder.build();
HttpGet get = new HttpGet(uri);
get.addHeader("User-Agent", "Mozilla/5.0");
HttpResponse response = httpClient.execute(get);
int statusCode = response.getStatusLine().getStatusCode();
if (statusCode == HttpServletResponse.SC_OK) {
}
else {
}
}
catch (IOException ex) {
this.log.error("error", ex);
}
catch (URISyntaxException ex) {
this.log.error("error", ex);
}
finally {
httpClient.getConnectionManager().shutdown();
}
However, this throws the following exception :
javax.net.ssl.SSLException: hostname in certificate didn't match: <X.B.com>
!= <www.A.com> OR <www.A.com> OR <A.com>
at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
~[httpclient-4.2.3.jar:4.2.3]
I even tried setting the Host header manually to "X.B.com" and it still
didn't help (even though the docs say that this is set based upon the URI
provided to HttpClient).
What do I need to do to make the client negotiate the SSL connection for
the correct host so that the correct SSL certificate is matched up? Again,
the wildcard certificate works just fine in a browser for both B.com and
X.B.com, but not for HttpClient.
Thanks
Chris
Re: error matching ssl certificate
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Fri, 2013-05-17 at 08:49 -0400, Chris Cheshire wrote:
> Thanks for the wikipedia link - I have been scratching my head in confusion
> over this wondering why it wasn't using the Host header, and now it all
> makes sense.
>
> I'm still running under TC6, so no Java 7 at the moment. Is there a
> solution for Java 6?
None I know of.
> If not, I'll have to upgrade because getting another
> IP address is really just a bandaid (and a bad one at that) as I have a
> feeling I'm going to run into this problem again shortly.
>
> How stable is the beta of HttpClient 4.3?
>
It is quite stable for a BETA ;-) If you app is to go productive in a
few months I would strongly recommend migrating to 4.3 already. 4.3 GA
can be expected by mid Summer.
Oleg
> Thanks
>
> Chris
>
>
>
>
> On Fri, May 17, 2013 at 3:52 AM, Oleg Kalnichevski <ol...@apache.org> wrote:
>
> > On Wed, 2013-05-15 at 11:53 -0400, Chris Cheshire wrote:
> > > I have a single server configured hosting 3 domains, A.com, B.com, C.com,
> > > all with their own SSL certificates. Accessing these domains via a
> > browser
> > > and SSL all works just fine.
> > >
> > > However, the web app on B needs to process a callback from C over SSL. B
> > > has a wildcard certificate for *.B.com, and the production site is just
> > > B.com. My testing sandbox is at X.B.com. Both work fine with the
> > wildcard
> > > certificate in a browser.
> > >
> > > To send the callback I am using HttpClient 4.2.3 :
> > >
> > > HttpClient httpClient = new DefaultHttpClient();
> > >
> > > httpClient.getParams().setParameter(CoreConnectionPNames.SO_TIMEOUT,
> > 30000);
> > >
> > >
> > httpClient.getParams().setParameter(CoreConnectionPNames.CONNECTION_TIMEOUT,
> > > 30000);
> > >
> > > try {
> > > URIBuilder builder = new URIBuilder(new URI("
> > > https://X.B.com/path));
> > > URI uri = builder.build();
> > > HttpGet get = new HttpGet(uri);
> > > get.addHeader("User-Agent", "Mozilla/5.0");
> > >
> > > HttpResponse response = httpClient.execute(get);
> > > int statusCode = response.getStatusLine().getStatusCode();
> > >
> > > if (statusCode == HttpServletResponse.SC_OK) {
> > >
> > > }
> > > else {
> > >
> > > }
> > > }
> > > catch (IOException ex) {
> > > this.log.error("error", ex);
> > > }
> > > catch (URISyntaxException ex) {
> > > this.log.error("error", ex);
> > > }
> > > finally {
> > > httpClient.getConnectionManager().shutdown();
> > > }
> > >
> > >
> > > However, this throws the following exception :
> > >
> > > javax.net.ssl.SSLException: hostname in certificate didn't match: <
> > X.B.com>
> > > != <www.A.com> OR <www.A.com> OR <A.com>
> > >
> > > at
> > >
> > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
> > > ~[httpclient-4.2.3.jar:4.2.3]
> > >
> > >
> > > I even tried setting the Host header manually to "X.B.com" and it still
> > > didn't help (even though the docs say that this is set based upon the URI
> > > provided to HttpClient).
> > >
> > >
> > > What do I need to do to make the client negotiate the SSL connection for
> > > the correct host so that the correct SSL certificate is matched up?
> > Again,
> > > the wildcard certificate works just fine in a browser for both B.com and
> > > X.B.com, but not for HttpClient.
> > >
> >
> > I suspect this is due to SNI extensions [1] that are supported by the
> > browser but are not fully supported by Java.
> >
> > If your application is running on Oracle Java 1.7 you can activate SNI
> > support as described here [2].
> >
> > Please note the code snippet in the Wiki page is written using
> > HttpClient 4.3 APIs but a similar technique can be used with earlier
> > versions of HttpClient.
> >
> > Oleg
> >
> > [1] http://en.wikipedia.org/wiki/Server_Name_Indication
> > [2] https://wiki.apache.org/HttpComponents/SNISupport
> >
> > >
> > > Thanks
> > >
> > >
> > > Chris
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: error matching ssl certificate
Posted by Chris Cheshire <ch...@gmail.com>.
Thanks for the wikipedia link - I have been scratching my head in confusion
over this wondering why it wasn't using the Host header, and now it all
makes sense.
I'm still running under TC6, so no Java 7 at the moment. Is there a
solution for Java 6? If not, I'll have to upgrade because getting another
IP address is really just a bandaid (and a bad one at that) as I have a
feeling I'm going to run into this problem again shortly.
How stable is the beta of HttpClient 4.3?
Thanks
Chris
On Fri, May 17, 2013 at 3:52 AM, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Wed, 2013-05-15 at 11:53 -0400, Chris Cheshire wrote:
> > I have a single server configured hosting 3 domains, A.com, B.com, C.com,
> > all with their own SSL certificates. Accessing these domains via a
> browser
> > and SSL all works just fine.
> >
> > However, the web app on B needs to process a callback from C over SSL. B
> > has a wildcard certificate for *.B.com, and the production site is just
> > B.com. My testing sandbox is at X.B.com. Both work fine with the
> wildcard
> > certificate in a browser.
> >
> > To send the callback I am using HttpClient 4.2.3 :
> >
> > HttpClient httpClient = new DefaultHttpClient();
> >
> > httpClient.getParams().setParameter(CoreConnectionPNames.SO_TIMEOUT,
> 30000);
> >
> >
> httpClient.getParams().setParameter(CoreConnectionPNames.CONNECTION_TIMEOUT,
> > 30000);
> >
> > try {
> > URIBuilder builder = new URIBuilder(new URI("
> > https://X.B.com/path));
> > URI uri = builder.build();
> > HttpGet get = new HttpGet(uri);
> > get.addHeader("User-Agent", "Mozilla/5.0");
> >
> > HttpResponse response = httpClient.execute(get);
> > int statusCode = response.getStatusLine().getStatusCode();
> >
> > if (statusCode == HttpServletResponse.SC_OK) {
> >
> > }
> > else {
> >
> > }
> > }
> > catch (IOException ex) {
> > this.log.error("error", ex);
> > }
> > catch (URISyntaxException ex) {
> > this.log.error("error", ex);
> > }
> > finally {
> > httpClient.getConnectionManager().shutdown();
> > }
> >
> >
> > However, this throws the following exception :
> >
> > javax.net.ssl.SSLException: hostname in certificate didn't match: <
> X.B.com>
> > != <www.A.com> OR <www.A.com> OR <A.com>
> >
> > at
> >
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
> > ~[httpclient-4.2.3.jar:4.2.3]
> >
> >
> > I even tried setting the Host header manually to "X.B.com" and it still
> > didn't help (even though the docs say that this is set based upon the URI
> > provided to HttpClient).
> >
> >
> > What do I need to do to make the client negotiate the SSL connection for
> > the correct host so that the correct SSL certificate is matched up?
> Again,
> > the wildcard certificate works just fine in a browser for both B.com and
> > X.B.com, but not for HttpClient.
> >
>
> I suspect this is due to SNI extensions [1] that are supported by the
> browser but are not fully supported by Java.
>
> If your application is running on Oracle Java 1.7 you can activate SNI
> support as described here [2].
>
> Please note the code snippet in the Wiki page is written using
> HttpClient 4.3 APIs but a similar technique can be used with earlier
> versions of HttpClient.
>
> Oleg
>
> [1] http://en.wikipedia.org/wiki/Server_Name_Indication
> [2] https://wiki.apache.org/HttpComponents/SNISupport
>
> >
> > Thanks
> >
> >
> > Chris
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
Re: error matching ssl certificate
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2013-05-15 at 11:53 -0400, Chris Cheshire wrote:
> I have a single server configured hosting 3 domains, A.com, B.com, C.com,
> all with their own SSL certificates. Accessing these domains via a browser
> and SSL all works just fine.
>
> However, the web app on B needs to process a callback from C over SSL. B
> has a wildcard certificate for *.B.com, and the production site is just
> B.com. My testing sandbox is at X.B.com. Both work fine with the wildcard
> certificate in a browser.
>
> To send the callback I am using HttpClient 4.2.3 :
>
> HttpClient httpClient = new DefaultHttpClient();
>
> httpClient.getParams().setParameter(CoreConnectionPNames.SO_TIMEOUT, 30000);
>
> httpClient.getParams().setParameter(CoreConnectionPNames.CONNECTION_TIMEOUT,
> 30000);
>
> try {
> URIBuilder builder = new URIBuilder(new URI("
> https://X.B.com/path));
> URI uri = builder.build();
> HttpGet get = new HttpGet(uri);
> get.addHeader("User-Agent", "Mozilla/5.0");
>
> HttpResponse response = httpClient.execute(get);
> int statusCode = response.getStatusLine().getStatusCode();
>
> if (statusCode == HttpServletResponse.SC_OK) {
>
> }
> else {
>
> }
> }
> catch (IOException ex) {
> this.log.error("error", ex);
> }
> catch (URISyntaxException ex) {
> this.log.error("error", ex);
> }
> finally {
> httpClient.getConnectionManager().shutdown();
> }
>
>
> However, this throws the following exception :
>
> javax.net.ssl.SSLException: hostname in certificate didn't match: <X.B.com>
> != <www.A.com> OR <www.A.com> OR <A.com>
>
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
> ~[httpclient-4.2.3.jar:4.2.3]
>
>
> I even tried setting the Host header manually to "X.B.com" and it still
> didn't help (even though the docs say that this is set based upon the URI
> provided to HttpClient).
>
>
> What do I need to do to make the client negotiate the SSL connection for
> the correct host so that the correct SSL certificate is matched up? Again,
> the wildcard certificate works just fine in a browser for both B.com and
> X.B.com, but not for HttpClient.
>
I suspect this is due to SNI extensions [1] that are supported by the
browser but are not fully supported by Java.
If your application is running on Oracle Java 1.7 you can activate SNI
support as described here [2].
Please note the code snippet in the Wiki page is written using
HttpClient 4.3 APIs but a similar technique can be used with earlier
versions of HttpClient.
Oleg
[1] http://en.wikipedia.org/wiki/Server_Name_Indication
[2] https://wiki.apache.org/HttpComponents/SNISupport
>
> Thanks
>
>
> Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org