Wednesday, December 10, 2008

Java SSL No Subject Alternative Matched

When you trying to connect to a server with untrusted SSL certificate, you might encounter below mentioned exceptions:
java.security.cert.CertificateException: No subject alternative names matching IP address xxx.xxx.xxx found
or
java.security.cert.CertificateException: No subject alternative DNS name matching hostname.com found.
The reason is because the certificate did not set the correct subject alternative value correctly. Two possible solution for above scenario:
  • Change certificate’s subject alternative value
  • Create customize HostnameVerifier
Change Certificate’s Subject Alternative Value

If you’re connecting to your host by using IP address, then you must change the subject alternative value to your IP address value. Likewise if you’re connecting using DNS name, the subject alternative value must match with the DNS name.

Create Customize HostnameVerifier

Basically you just need to create your customized HostnameVerifier class like example below:

private static class CustomizedHostnameVerifier implements HostnameVerifier {
public boolean verify(String hostname, SSLSession session) {
return true;
}
}


and then apply this class to your single SSL connection

HttpsURLConnection connection = (HttpsURLConnection) new URL("https://url").openConnection();
connection.setHostnameVerifier(new CustomizedHostNameVerifier());


or apply to all SLL connection

HttpsURLConnection.setDefaultHostnameVerifier(new CustomizedHostnameVerifier());


However this method might pose a security risk because basically we don’t verify the hostname anymore. The server may use other website’s certificate and the program will still accept it.
Posted by at
Labels: , ,

5 comments:

  1. UnknownDecember 9, 2009 at 3:20 AM

    Our company recently wanted to add several of it's domains under the one certificate, so we approached a company specialising in Subject Alt Name SSL certificates on the Exchange 2007. This has been with a trusted certificate and we've had fantastic response from our customers across the domains at the added security.

    ReplyDelete
  2. JamesXAugust 5, 2010 at 6:51 PM

    Your blog site is useful but you blog title is discriminatory. Why don't you just make it something like Jarsehole.

    ReplyDelete
  3. CloudSeptember 21, 2010 at 12:41 AM

    The reason is simple, I hate Java as much as I love them. And this blog's content consists mostly of the technical challenge that I've encountered a long the way.

    Please don't think too much of the reason behind my blog title, it's just something pops out on top of my head that makes me smile.

    ReplyDelete
  4. Klerisson PaixaoDecember 13, 2011 at 5:38 AM

    Great! But how to change certificate’s subject alternative value? Thanks in advance

    ReplyDelete
  5. Jeryl CookNovember 30, 2012 at 9:55 AM

    "private static class" , this should be public class... this wont compile.

    ReplyDelete

Subscribe to: Post Comments (Atom)