I am trying to make a message on a TLS server for standard and custom key stores. After receiving an instance of CloseableHttpClient when I execute the execution
CloseableHttpResponse response1 = client.execute(postMethod);
This gives me the javax.net.ssl.SSLPeerUnverifiedException: Certificate for <hostname.domain.com> doesn't match any of the subject alternative names: [] in the above line.
Below is the class in which I prepare the client instance
public class ClientelUtil { public static CloseableHttpClient getHttpClient(String scheme,SSLContext sslContext) { HttpClientBuilder clientBuilder = HttpClients.custom(); CloseableHttpClient client = null; if ("https".equalsIgnoreCase(scheme)) { SSLConnectionSocketFactory sFactory = new SSLConnectionSocketFactory(sslContext); final Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create() .register("http", new PlainConnectionSocketFactory()).register("https", sFactory).build(); final PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager(registry); clientBuilder = HttpClients.custom().setSSLSocketFactory(sFactory) .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE) .setConnectionManager(cm); } client = clientBuilder.build(); return client; } public static CloseableHttpClient getHttpClient(String scheme) { return getHttpClient(scheme, getSSLContext()); } public static CloseableHttpClient getHttpClientWithoutTLSValidation(String scheme) { return getHttpClient(scheme, getSSLContextWithoutValidation()); } public static SSLContext getSSLContextWithoutValidation() { SSLContext sslContext=null; try { sslContext = new SSLContextBuilder().loadTrustMaterial(null, new TrustStrategy() { public boolean isTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { return true; } }).build(); } catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException e) { e.printStackTrace(); } return sslContext; } public static SSLContext getSSLContext() { SSLContext sslContext=null; try { JKSInfo jksInfo = JKSUtil.getTrustStoreInfo(); sslContext = HttpSSLUtil.getSSLContext(jksInfo.getJksPath(), jksInfo.getJksPassword()); } catch (HttpSSLException e) { e.printStackTrace(); } return sslContext; } }
This is where I use the class above in my program
public String post(String host,int port,Map<String,String> data) { CloseableHttpClient client = null; String response = null; String protocol = HTTP; try{ if( isServerSSLEnabled() ){ //returns a boolean tru or false. In this case it is true protocol = HTTPS; } client = ClientelUtil.getHttpClient(protocol); //RequestConfig requestConfig = RequestConfig.custom().setCircularRedirectsAllowed(true).build(); URIBuilder builder = new URIBuilder() .setScheme(protocol) .setHost(host).setPort(port) .setPath(CONNECT_URI); URI uri = builder.build(); HttpPost postMethod = new HttpPost(uri); //postMethod.setConfig(requestConfig); logger.debug("Sending request on host [" + host +"], port ["+ port+"], Protocol ["+ protocol + "] connectURI ["+CONNECT_URI+"]"); addRequestHeaders(postMethod); ArrayList<NameValuePair> postParameters = new ArrayList<NameValuePair>(); try { for(Map.Entry<String,String> entry : data.entrySet()) { postParameters.add(new BasicNameValuePair(entry.getKey(),entry.getValue())); } postMethod.setEntity(new UrlEncodedFormEntity(postParameters)); CloseableHttpResponse response1 = client.execute(postMethod); // <-- SSLPeerUnverifiedException at this point response = EntityUtils.toString(response1.getEntity()); } catch (IOException e) { logger.error("Error while running the scenario on node host [" + host+"]",e); } finally{ postMethod.releaseConnection(); } } catch (URISyntaxException e1) { e1.printStackTrace(); }finally { if(client!=null) try { client.close(); } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); } } return response; }
I am using apache http client 4.5 for this, please help determine what is wrong here.
It also requires CN=FQDN in the keystore used in the getSSLContext method, since I use NoopHostnameVerifier.INSTANCE to create an HttpClientBuilder ?
thanks
Update
I created a new trust file with a Common Name (eg server FQDN or YOUR name) []: as my host name, after which I work on the code (now I use the host name to access my server code instead of hostname.domain.com , as mentioned above in my question).
Now my question is: if CN | Common Name not in the trust file, can it be checked with some modification in the above code? Please suggest. Thanks again.
Update
Posting a full stack trace. It is also good practice to return true in case of host name verification, so that it ignores host name verification and works without using CN or SAN in production (tell me when it can be used otherwise)?
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <hostname.domain.com> doesn't match any of the subject alternative names: [] at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:467) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at com.code.app.myapp.utils.HttpUtil.post(HttpUtil.java:102) at com.code.app.myapp2.RequestDispatcher.dispatchRequest(RequestDispatcher.java:61) at com.code.app.chain.commands.FetchDiagnosticsInfo.executeOperation(FetchDiagnosticsInfo.java:82) at com.informatica.tools.ui.isomorphic.DSCommand.execute(DSCommand.java:45) at com.code.app.chain.commands.BaseDSCommand.execute(BaseDSCommand.java:59) at com.informatica.tools.ui.isomorphic.RPCCommand.execute(RPCCommand.java:43) at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:166) at com.informatica.tools.ui.isomorphic.RPCController.execute(RPCController.java:97) at com.code.app.ui.IsomorphicController.execute(IsomorphicController.java:115) at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:166) at org.apache.struts.chain.commands.ExecuteCommand.execute(ExecuteCommand.java:70) at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51) at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:166) at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:175) at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:166) at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462) at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.code.app.ui.security.UserIdentifierFilter.doFilter(UserIdentifierFilter.java:352) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.code.app.ui.i18n.InfEncodingFilter.doFilter(InfEncodingFilter.java:156) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.code.app.config.InfSessionTimeoutManagerFilter.doFilter(InfSessionTimeoutManagerFilter.java:79) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.code.app.ui.security.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:26) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:615) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)