My Java server is using a rest service to retrieve information. Every several months I get an exception from java:
javax.net.ssl.SSLHandshakeException: No subject alternative DNS name
matching found.
This exception happens for few seconds and goes away until next time. From reading in the internet, I saw it's a problem of the remote server and its certificate. I talked to the support of the service but they say they updated the certificate on January and nothing was done regarding the certificate.
What/where else can I check or tell them to check in order to avoid this error?
Thanks
Related
My application is running for fetch data from a website with https:
let say
https://api.something.com
When I call with Apache HttpClient using HttpClients.createDefault();
It return the above error show PKIX path building failed.
Even I use Postman to call the api. I still need to disable SSL certification verification to make the call success.
My question is:
Is this is a one way ssl verification? because I don't post data to that domain. I only pull data from it. So server don't have to know who I am. But I can know that's exactly the server I call, and api response is from that domain as well (no middle man). Is my concept correct?
So to resolve this problem, can I just use a dummy sslContext?
thanks a lot
Yes it may be one way TLS but you should have the certificate of CA that issued the certificate of your server in your trust store in java (or other client) to have SSL connection.
I have a java web application that runs in WebSphere that need to call to third party service (IBM) to get some response.
At first IBM give me a p12 file, which is contain client certificate, and I test it in Firefox RestClient, the call success and I am getting response code 200 in the RestClient. Else, I will get 403 forbidden. So this is proof that the p12 provided by third party is correct. Please correct me if my statement is wrong.
Thus, I happily import this p12 file into my CellDefaultKeyStore to test the connection on my application. Unfortunately, after I import this p12 file, the nodes status become "unknown", and I cant even "synchronize" them. And when I check server log, I keep seeing
com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by xxx is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
After that I remove it from CellDefaultKeyStore try to import it into NodeDefaultKeyStore, the node issue gone, the node can sync back and my app can call to the third party successfully. I think this is done of my job today, however, this solution is not stable, its only work some times, not every time. The node status will still become "unknown" after a moment, or, if I run ./stopManager.sh and ./startManager.sh, the node issue will immediately come back.
I have try run ./stopNode.sh and ./startNode.sh, there are no error in the log of this 2 shell script. But the WAS Console UI there still showing status is unknown, and I cant even stop start my server through WAS Console.
At first I am thinking its maybe display issue, but this issue will solve if I delete the p12 file from my NodeDefaultKeyStore.
I try google around but end up still cant find any clue. I am not sure is it my configuration or the p12 file having problem.
Which log should I refer to see why the node status will become unknown, or what else I can continue to debug/troubleshoot on this?
You received the certificate for an external service and you want code in Websphere to connect to that service right? The default cell store is not the place to put external connection`s certificates.
Put it in the Trusted keystore. This will tell WebSphere to trust that external connections certificate, enabling your code to connect to it.
You can do it via the console, or using iKeyman directly on the file.
That being said, do not mess with the default certificate in the default keystore. #dbreaux is right on that in the comments.
I'm now stuck with a HTTPS/SSL issue. I'm developing on Windows 10 / Java 8 v121 on Codename One.
When I tried to call a HTTP (without SSL) connection, I get rejected with a reference to [https://www.codenameone.com/blog/ios-http-urls.html]. I don't think the call even hit the server. I tried to include the "build hint" in my codenameone_settings.properties file but to no avail.
Next, I tried to use self-signed certificate and it generated a "Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" exception. So, I thought the error was caused because my certificate was self-signed, but it wasn't...
Then I got a free certificate from [https://www.sslforfree.com/] and it is still causing the SAME exception message. However, this cerficate works fine with my Firefox browser. I'm also using Simple DNS Plus (for Windows) for the signed certificate domain name tested to work correctly in my Firefox browser (ie. correctly hit the server with no Insecure Connection message).
I'd like to understand how to:-
Get the "build hint" to work for iOS (in the Codename One simulator) so it calls http (without ssl) connections.
How to resolve the Java exception.
Thanks!
Just use http URL during the development stage and when you are ready to publish, buy a genuine SSL certificate and change the http to https. It's for your own good, as unencrypted Webservice call will make your app vulnerable to a man-in-middle attack.
To make your http work on iOS during dev stage, add this build hint:
ios.plistInject=<key>NSAppTransportSecurity</key><dict><key>NSAllowsArbitraryLoads</key><true/></dict><key>CFBundleURLTypes</key><array><dict><key>CFBundleURLName</key><string>com.mycompany.myapp</string></dict><dict><key>CFBundleURLSchemes</key><array><string>MyApp</string></array></dict></array>
There was a similar question previously which I answered here.
Hope you are doing well.I know there are many answers alike to the issue that i am going to ask but still no one seems to help.
Please help!!!
Issue:-
I am trying to connect to a secure website(HTTPS) using WebScarab, so that i can capture the traffic.Http is working fine for me.
For this i am using WebScarab as a proxy.
'client.getHostConfiguration().setProxy("127.0.0.1", 8008);'
but everytime i gets an exception (
SunCertPathBuilderException
) as stated above.
I have tried adding the website certificate to the Java using Keytool utility also.
I then added a proxy (reverse) entry in WebScarab (127.0.0.1 , 443) and changed the program to use it as a proxy server.
'client.getHostConfiguration().setProxy("127.0.0.1", 443);'
Then i got the following exception :-
org.apache.commons.httpclient.ProtocolException: The server stbeehive.oracle.com failed to respond with a valid HTTP response.
I also tried creating a .p12 certificate (for the website which i want to connect to) and importing it to WebScarab.
But inspite of all these methods i am not able to get the proper response.
I am using WebScarab as a proxy for firefox to capture its traffic and it is working fine (for both http and https).
Please help me as i have run out of ideas now :(
Are you using WebScarab or WebScarab-NG?
Please try WebScarab "classic", rather than the -NG variant. NG was a failed experiment, and no real effort was put into validating the client-side certificate functionality.
Also, what version of Java are you using, what operating system, 32 bit or 64-bit, etc, etc
Regards,
Rogan
I'm using clojure-http to make the following POST:
(clojure-http.resourcefully/post "https://android.apis.google.com/c2dm/send"
{"Authorization" (str "GoogleLogin auth=" auth-token)}
{"registration_id" registration-id
"data.msg" "blah"
"collapse_key" "blah"})
And getting this exception:
java.security.cert.CertificateException: No subject alternative DNS name matching android.apis.google.com found.
[Thrown class javax.net.ssl.SSLHandshakeException]
For some weird reason, about 10% of the time I don't get the exception and the request goes through.
I believe it's an issue with Java's host name checking on SSL connections*, so my question is, how do I disable that from Clojure? (or is that a bad idea security-wise?)
Thanks,
Wei
*deduced from this post and others like it: http://www.jroller.com/hasant/entry/no_subject_alternative_names_matching
Its not a problem with your code, its a problem with android's website.
Open this link in a modern browser- https://android.apis.google.com/. You will see that the SSL certificate belongs to *.google.com, but you are visiting a domain under *.apis.google.com. You should probably search on Android forums for a solution to this problem.
Its a bad idea to disable host name checking, you are opening up yourself to man-in-the-middle attacks. If you don't really care about security, you might as well use http, its easier than disabling host name checks.