Re: java.security.cert.CertificateException: No subject alternative DNS name matching xxxxxxx.xxx.com found.

[Colm O hEigeartaigh]

The CertificateHostnameVerifier does support subject alternative names. I'd
recommend setting a breakpoint in the "check" methods here + see what is
going on:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob_plain;f=rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertificateHostnameVerifier.java;hb=HEAD

Colm.

On Tue, Nov 4, 2014 at 3:56 PM, Cole Ferrier <c...@coleferrier.com> wrote:

> Having a little bit of trouble with a a client web service due to a server
> now having a certificate where its name is only in Subject Alternate Names.
>
> At first we where getting an error that was out of CXF and it said to set "
> disableCNCheck" to true, however we don't want to disable alternate names.
>
> Then I tried a simple test:
>
> url = new URL(https_url);
> HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
>
> and java 7 was able to connect to the url and download content from it. (it
> didn't through off any errors).
>
> So then we set useHttpsURLConnectionDefaultSslSocketFactory and
> useHttpsURLConnectionDefaultHostnameVerifier to true to try to use the Java
> versions.
>
> javax.xml.ws.WebServiceException: Could not send Message.
>     at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:145)
>     at com.sun.proxy.$Proxy50.callback(Unknown Source)
> ..... (Code that called started the web service call)
> Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException
> invoking https://xxxxxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxxxxx:
> java.security.cert.CertificateException: No subject alternative DNS name
> matching xxxxxxxxxxxxxxxxxxxxxxx found.
>     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
>     at
>
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>     at
>
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>     at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>     at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1334)
>     at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318)
>     at
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
>     at
> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:623)
>     at
>
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
>     at
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
>     at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:541)
>     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
>     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
>     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
>     at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
>     at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
>     ... 5 more
> Caused by: javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: No subject alternative DNS name
> matching xxxxxxxxxxxxxxxx found.
>     at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>     at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
>     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
>     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
>     at
>
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
>     at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
>     at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
>     at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
>     at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
>     at
>
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
>     at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
>     at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
>     at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
>     at
>
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
>     at
>
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1090)
>     at
>
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>     at
>
> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168)
>     at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1278)
>     at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1234)
>     at
>
> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195)
>     at
>
> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
>     at
>
> org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
>     at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1291)
>     ... 15 more
> Caused by: java.security.cert.CertificateException: No subject alternative
> DNS name matching xxxxxxxxxxxxxxxxx found.
>     at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:191)
>     at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
>     at
>
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:347)
>     at
>
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:203)
>     at
>
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
>     at
>
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
>     ... 33 more
>
>
> Any Ideas why a basic URL connection works, but CXF while set to use the
> Java defaults doesn't?
>
>
> Thanks.
>
> Cole
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com