Wednesday, December 10, 2008

Java SSL No Subject Alternative Matched

When you trying to connect to a server with untrusted SSL certificate, you might encounter below mentioned exceptions:
java.security.cert.CertificateException: No subject alternative names matching IP address xxx.xxx.xxx found
or
java.security.cert.CertificateException: No subject alternative DNS name matching hostname.com found.
The reason is because the certificate did not set the correct subject alternative value correctly. Two possible solution for above scenario:
  • Change certificate’s subject alternative value
  • Create customize HostnameVerifier
Change Certificate’s Subject Alternative Value

If you’re connecting to your host by using IP address, then you must change the subject alternative value to your IP address value. Likewise if you’re connecting using DNS name, the subject alternative value must match with the DNS name.

Create Customize HostnameVerifier

Basically you just need to create your customized HostnameVerifier class like example below:

private static class CustomizedHostnameVerifier implements HostnameVerifier {
public boolean verify(String hostname, SSLSession session) {
return true;
}
}


and then apply this class to your single SSL connection

HttpsURLConnection connection = (HttpsURLConnection) new URL("https://url").openConnection();
connection.setHostnameVerifier(new CustomizedHostNameVerifier());


or apply to all SLL connection

HttpsURLConnection.setDefaultHostnameVerifier(new CustomizedHostnameVerifier());


However this method might pose a security risk because basically we don’t verify the hostname anymore. The server may use other website’s certificate and the program will still accept it.
Posted by at 5 comments:
Labels: , ,

Java SSL Untrusted Certificate

When you trying to connect to a server with untrusted SSL certificate, you might encounter below mentioned exceptions:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
It was thrown because Java was unable to verify the validity of the certificate. In your web browser it might warn you that the certificate is untrusted and you’re still be able to add the certificate to a trusted list. But in Java, you’ll have to use a keytool to do the same thing.

You can find the keytool in your Java jdk bin directory. After you located your keytool, follow the steps:
  • Download your server certificate to your local machine
  • Insert to your Java cacerts by executing the keytool with some parameters:
    keytool -keystore ..\jre\lib\security\cacerts -import -alias anyaliasyoulike -file c:\path\to\your.crt -trustcacerts
  • Keystore password: changeit
If you did it correctly, it should notify you with: Certificate was added to keystore.

Quick tip:
  • To list all the certificate in keystore
    keytool -list -keystore ..\jre\lib\security\cacerts
  • To remove certificate from keystore
    keytool -delete -alias certalias -keystore ..\jre\lib\security\cacerts
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)