Best IT Recipes

SSLHandshakeException: no alternate object names

I am calling the HTTPS SOAP web service through Java code. I have already imported a self-signed certificate in jre cacerts keystore. Now I get:

com.sun.xml.internal.ws.com.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

The host name of the service URL does not match the CN name specified in the certificate. I read about a workaround for defining a custom host verifier here . But I can not do where I have to use a workaround in my code.

 public SOAPMessage invokeWS(WSBean bean) throws Exception { SOAPMessage response=null; try{ /** Create a service and add at least one port to it. **/ String targetNameSpace = bean.getTargetNameSpace(); String endpointUrl = bean.getEndpointUrl(); QName serviceName = new QName(targetNameSpace, bean.getServiceName()); QName portName = new QName(targetNameSpace, bean.getPortName()); String SOAPAction = bean.getSOAPAction(); HashMap<String, String> map = bean.getParameters(); Service service = Service.create(serviceName); service.addPort(portName, SOAPBinding.SOAP11HTTP_BINDING, endpointUrl); /** Create a Dispatch instance from a service. **/ Dispatch dispatch = service.createDispatch(portName, SOAPMessage.class, Service.Mode.MESSAGE); // The soapActionUri is set here. otherwise we get a error on .net based // services. dispatch.getRequestContext().put(Dispatch.SOAPACTION_USE_PROPERTY, new Boolean(true)); dispatch.getRequestContext().put(Dispatch.SOAPACTION_URI_PROPERTY, SOAPAction); /** Create SOAPMessage request. **/ // compose a request message MessageFactory messageFactory = MessageFactory.newInstance(); SOAPMessage message = messageFactory.createMessage(); // Create objects for the message parts SOAPPart soapPart = message.getSOAPPart(); SOAPEnvelope envelope = soapPart.getEnvelope(); SOAPBody body = envelope.getBody(); SOAPElement bodyElement = body.addChildElement(bean.getInputMethod(), bean.getPrefix(), bean.getTargetNameSpace()); ...more code to form soap body goes here // Print request message.writeTo(System.out); // Save the message message.saveChanges(); response = (SOAPMessage)dispatch.invoke(message); } catch (Exception e) { log.error("Error in invokeSiebelWS :"+e); } return response; }

Please ignore the WSBean parameter, as namespaces and other wsdl attributes come from this bean. And if this exception can be resolved with some workarounds, pls really offer one.

+49
java soap ssl tomcat
Apr 21 '12 at 10:24
source share
2 answers

Thank you Bruno for giving me heads-up by the name and name of an alternate name. Since we found out that the certificate was generated by CN with the DNS name of the network and asked to renew the new certificate using the entry "Subject alternative name", i.e. San = ip: 10.0.0.1. which is the actual solution .

But we managed to find a workaround with which we can work at the development stage. Just add the static block to the class from which we are creating the ssl connection.

 static { HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { // ip address of the service URL(like.23.28.244.244) if (hostname.equals("23.28.244.244")) return true; return false; } }); }

If you use Java 8, there is a much smoother way to achieve the same result:

 static { HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> hostname.equals("127.0.0.1")); }
+82
Apr 24 2018-12-12T00:
source share

Unlike some browsers, Java follows the HTTPS specification strictly when it comes to server authentication (RFC 2818, section 3.1) and IP addresses.

When using a host name, you can refuse the common name in the subject name of the server certificate instead of using an alternative subject name.

When using an IP address, the certificate must contain a record of an alternative object name (such as an IP address, not a DNS name).

You will find more detailed information about the specification and how to create such a certificate below .

+28
Apr 22 '12 at 20:15
source share


More articles:


All Articles