Re: Receiving error "java.io.IOException: Host name 'localhost' does not match the certificate subject provided by the peer"
On Tue, 2016-08-23 at 21:41 -0400, Sachin Nikumbh wrote: > Hello, > > I am working on a client application that is using > both CloseableHttpAsyncClient and CloseableHttpClient with HTTPS. My > application is sending a POST request with large amount of data and bunch > of GET requests as well. I was initially using CloseableHttpAsyncClient for > all the requests and everything was working fine with HTTPS. I recently > changed my code to use CloseableHttpClient just for the POST request. Now, > for the same client and server certificates (self signed), the SSL > handshake for POST is failing with error: > > Host name 'localhost' does not match the certificate subject provided by > the peer (C=US, ST=MA, L=Natick, O=Mathworks, OU=MPS_QE, CN=localhost) > > As can be seen, the CN of the server certificate is localhost. Following is > the code that I am using to create CloseableHttpClient : > > SSLConnectionSocketFactory sslFactory = new > SSLConnectionSocketFactory(sslContext, hostnameVerifier); > CloseableHttpClient httpClient = HttpClients.custom() > .setUserAgent(ApacheHttpClient.class.getName()) > .setSSLSocketFactory(sslFactory) > .build(); > > In the above code, sslContext is created using custom truststore and > keystore using system properties > like javax.net.ssl.keyStore, javax.net.ssl.trustStore, etc. The > hostnameVerifier's verify method is returning false. I have a feeling that > I am doing something wrong in the way I am setting up the > CloseableHttpClient. > > Could using CloseableHttpAsyncClient and CloseableHttpClient in the same > application to use HTTPS cause any issues? > I cannot think of any reason why it would Conceptually however using two clients instead of one sounds somehow wrong to me. Oleg - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
RE: Receiving error "java.io.IOException: Host name 'localhost' does not match the certificate subject provided by the peer"
Hi all, I should have made it clear as to what it is that I am trying to achieve. The "hostnameVerifier" that I mentioned in my previous email is a custom HostnameVerifier that our users pass through some API that we have provided. The goal here is to override the default hostname verifier if it fails. So, if the hostname matches the CN in the server certificate, things will work fine. If it the hostname does not match the CN in server certificate, I want the users have the ability to still continue by writing their own HostnameVerifier that will let them ignore this and still move forward with the SSL handshake. I think, my question should really be around how to achieve this with CloseableHttpClient. Thanks Sachin -Original Message- From: Sachin Nikumbh [mailto:saniku...@gmail.com] Sent: Tuesday, August 23, 2016 9:42 PM To: HttpClient User Discussion Subject: Receiving error "java.io.IOException: Host name 'localhost' does not match the certificate subject provided by the peer" Hello, I am working on a client application that is using both CloseableHttpAsyncClient and CloseableHttpClient with HTTPS. My application is sending a POST request with large amount of data and bunch of GET requests as well. I was initially using CloseableHttpAsyncClient for all the requests and everything was working fine with HTTPS. I recently changed my code to use CloseableHttpClient just for the POST request. Now, for the same client and server certificates (self signed), the SSL handshake for POST is failing with error: Host name 'localhost' does not match the certificate subject provided by the peer (C=US, ST=MA, L=Natick, O=Mathworks, OU=MPS_QE, CN=localhost) As can be seen, the CN of the server certificate is localhost. Following is the code that I am using to create CloseableHttpClient : SSLConnectionSocketFactory sslFactory = new SSLConnectionSocketFactory(sslContext, hostnameVerifier); CloseableHttpClient httpClient = HttpClients.custom() .setUserAgent(ApacheHttpClient.class.getName()) .setSSLSocketFactory(sslFactory) .build(); In the above code, sslContext is created using custom truststore and keystore using system properties like javax.net.ssl.keyStore, javax.net.ssl.trustStore, etc. The hostnameVerifier's verify method is returning false. I have a feeling that I am doing something wrong in the way I am setting up the CloseableHttpClient. Could using CloseableHttpAsyncClient and CloseableHttpClient in the same application to use HTTPS cause any issues? Any help would be appreciated. Thanks Sachin PS : I am including the SSL handshake details obtained by javax.net.debug=all, if that will help *** trustStore is: C:\Applications\MATLAB\devel\gecks\1449313\mpsInstance\client\mpsclient.truststore trustStore type is : jks trustStore provider is : init truststore adding as trusted cert: Subject: C=US, ST=MA, L=Natick, O=Mathworks, OU=MPS_QE, CN=localhost Issuer: C=US, ST=MA, L=Natick, O=Mathworks, OU=MPS_QE, CN=localhost Algorithm: RSA; Serial number: 0x8f3fab2349fe8c7c Valid from Tue Aug 23 16:06:09 EDT 2016 until Thu Sep 22 16:06:09 EDT 2016 trigger seeding of SecureRandom done seeding SecureRandom Using SSLEngineImpl. Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA *** found key for : 08_23_2016_16_08_25 chain [0] = [ [ Version: V3 Subject: CN=client, OU=MPS_QE, O=Mathworks, L=Natick, ST=MA, C=US Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3 Key: Sun DSA Public Key Parameters:DSA p: fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669 455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7 6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb 83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7 q: 9760508f 15230bcc b292b982 a2eb840b f0581cf5 g:
Receiving error "java.io.IOException: Host name 'localhost' does not match the certificate subject provided by the peer"
Hello, I am working on a client application that is using both CloseableHttpAsyncClient and CloseableHttpClient with HTTPS. My application is sending a POST request with large amount of data and bunch of GET requests as well. I was initially using CloseableHttpAsyncClient for all the requests and everything was working fine with HTTPS. I recently changed my code to use CloseableHttpClient just for the POST request. Now, for the same client and server certificates (self signed), the SSL handshake for POST is failing with error: Host name 'localhost' does not match the certificate subject provided by the peer (C=US, ST=MA, L=Natick, O=Mathworks, OU=MPS_QE, CN=localhost) As can be seen, the CN of the server certificate is localhost. Following is the code that I am using to create CloseableHttpClient : SSLConnectionSocketFactory sslFactory = new SSLConnectionSocketFactory(sslContext, hostnameVerifier); CloseableHttpClient httpClient = HttpClients.custom() .setUserAgent(ApacheHttpClient.class.getName()) .setSSLSocketFactory(sslFactory) .build(); In the above code, sslContext is created using custom truststore and keystore using system properties like javax.net.ssl.keyStore, javax.net.ssl.trustStore, etc. The hostnameVerifier's verify method is returning false. I have a feeling that I am doing something wrong in the way I am setting up the CloseableHttpClient. Could using CloseableHttpAsyncClient and CloseableHttpClient in the same application to use HTTPS cause any issues? Any help would be appreciated. Thanks Sachin PS : I am including the SSL handshake details obtained by javax.net.debug=all, if that will help *** trustStore is: C:\Applications\MATLAB\devel\gecks\1449313\mpsInstance\client\mpsclient.truststore trustStore type is : jks trustStore provider is : init truststore adding as trusted cert: Subject: C=US, ST=MA, L=Natick, O=Mathworks, OU=MPS_QE, CN=localhost Issuer: C=US, ST=MA, L=Natick, O=Mathworks, OU=MPS_QE, CN=localhost Algorithm: RSA; Serial number: 0x8f3fab2349fe8c7c Valid from Tue Aug 23 16:06:09 EDT 2016 until Thu Sep 22 16:06:09 EDT 2016 trigger seeding of SecureRandom done seeding SecureRandom Using SSLEngineImpl. Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA *** found key for : 08_23_2016_16_08_25 chain [0] = [ [ Version: V3 Subject: CN=client, OU=MPS_QE, O=Mathworks, L=Natick, ST=MA, C=US Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3 Key: Sun DSA Public Key Parameters:DSA p: fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669 455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7 6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb 83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7 q: 9760508f 15230bcc b292b982 a2eb840b f0581cf5 g: f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267 5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1 3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a y: 92ab7ca3 f606ad07 9081fc90 7e0063bd dccc9f42 5f7d5d4b bb324084 d8f09189 4a645f96 5e8b80cb 7c9b02d1 5f26c249 88dc7e3b c49a883f b7b33b5d 3bb3e1a1 b6e3f39f 93b4e741 f1052c22 d4b1fcee 275d1972 b484bb19 fc4a6d17 ebd638ed c952e3ab 813f8c04 011bd3c9 7dbf3a03 81ecf339 036117bd 2536a17d a5493410 Validity: [From: Tue Aug 23 16:08:26 EDT 2016, To: Thu Sep 22 16:08:26 EDT 2016] Issuer: CN=client, OU=MPS_QE, O=Mathworks, L=Natick, ST=MA, C=US SerialNumber: [532f0152] Certificate Extensions: 1 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ : 23 9E 5D 09 22 37 FD 75 91 FA B4 DE 1B AE 8B 0C #.]."7.u 0010: CA EF 68 63..hc ] ] ] Algorithm: [SHA1withDSA] Signatu