On Wed, 2013-05-15 at 11:53 -0400, Chris Cheshire wrote:
> I have a single server configured hosting 3 domains, A.com, B.com, C.com,
> all with their own SSL certificates. Accessing these domains via a browser
> and SSL all works just fine.
>
> However, the web app on B needs to process a callback from C over SSL. B
> has a wildcard certificate for *.B.com, and the production site is just
> B.com. My testing sandbox is at X.B.com. Both work fine with the wildcard
> certificate in a browser.
>
> To send the callback I am using HttpClient 4.2.3 :
>
> HttpClient httpClient = new DefaultHttpClient();
>
> httpClient.getParams().setParameter(CoreConnectionPNames.SO_TIMEOUT, 30000);
>
> httpClient.getParams().setParameter(CoreConnectionPNames.CONNECTION_TIMEOUT,
> 30000);
>
> try {
> URIBuilder builder = new URIBuilder(new URI("
> https://X.B.com/path));
> URI uri = builder.build();
> HttpGet get = new HttpGet(uri);
> get.addHeader("User-Agent", "Mozilla/5.0");
>
> HttpResponse response = httpClient.execute(get);
> int statusCode = response.getStatusLine().getStatusCode();
>
> if (statusCode == HttpServletResponse.SC_OK) {
>
> }
> else {
>
> }
> }
> catch (IOException ex) {
> this.log.error("error", ex);
> }
> catch (URISyntaxException ex) {
> this.log.error("error", ex);
> }
> finally {
> httpClient.getConnectionManager().shutdown();
> }
>
>
> However, this throws the following exception :
>
> javax.net.ssl.SSLException: hostname in certificate didn't match: <X.B.com>
> != <www.A.com> OR <www.A.com> OR <A.com>
>
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
> ~[httpclient-4.2.3.jar:4.2.3]
>
>
> I even tried setting the Host header manually to "X.B.com" and it still
> didn't help (even though the docs say that this is set based upon the URI
> provided to HttpClient).
>
>
> What do I need to do to make the client negotiate the SSL connection for
> the correct host so that the correct SSL certificate is matched up? Again,
> the wildcard certificate works just fine in a browser for both B.com and
> X.B.com, but not for HttpClient.
>
I suspect this is due to SNI extensions [1] that are supported by the
browser but are not fully supported by Java.
If your application is running on Oracle Java 1.7 you can activate SNI
support as described here [2].
Please note the code snippet in the Wiki page is written using
HttpClient 4.3 APIs but a similar technique can be used with earlier
versions of HttpClient.
Oleg
[1] http://en.wikipedia.org/wiki/Server_Name_Indication
[2] https://wiki.apache.org/HttpComponents/SNISupport
>
> Thanks
>
>
> Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
