java.security.cert.CertificateException: No subject alternative DNS name matching xxxxxxx.xxx.com found.

Tue, 04 Nov 2014 07:58:40 -0800 

Having a little bit of trouble with a a client web service due to a server
now having a certificate where its name is only in Subject Alternate Names.

At first we where getting an error that was out of CXF and it said to set "
disableCNCheck" to true, however we don't want to disable alternate names.

Then I tried a simple test:

url = new URL(https_url);
HttpsURLConnection con = (HttpsURLConnection) url.openConnection();

and java 7 was able to connect to the url and download content from it. (it
didn't through off any errors).

So then we set useHttpsURLConnectionDefaultSslSocketFactory and
useHttpsURLConnectionDefaultHostnameVerifier to true to try to use the Java
versions.

javax.xml.ws.WebServiceException: Could not send Message.
    at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:145)
    at com.sun.proxy.$Proxy50.callback(Unknown Source)
..... (Code that called started the web service call)
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException
invoking https://xxxxxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxxxxx:
java.security.cert.CertificateException: No subject alternative DNS name
matching xxxxxxxxxxxxxxxxxxxxxxx found.
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
    at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1334)
    at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318)
    at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
    at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:623)
    at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
    at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
    at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:541)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
    at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
    at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
    ... 5 more
Caused by: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No subject alternative DNS name
matching xxxxxxxxxxxxxxxx found.
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
    at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
    at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1090)
    at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
    at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168)
    at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1278)
    at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1234)
    at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195)
    at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
    at
org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
    at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1291)
    ... 15 more
Caused by: java.security.cert.CertificateException: No subject alternative
DNS name matching xxxxxxxxxxxxxxxxx found.
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:191)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
    at
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:347)
    at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:203)
    at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
    ... 33 more


Any Ideas why a basic URL connection works, but CXF while set to use the
Java defaults doesn't?


Thanks.

Cole

Reply via email to