On Fri, 2013-05-17 at 08:49 -0400, Chris Cheshire wrote: > Thanks for the wikipedia link - I have been scratching my head in confusion > over this wondering why it wasn't using the Host header, and now it all > makes sense. > > I'm still running under TC6, so no Java 7 at the moment. Is there a > solution for Java 6?
None I know of. > If not, I'll have to upgrade because getting another > IP address is really just a bandaid (and a bad one at that) as I have a > feeling I'm going to run into this problem again shortly. > > How stable is the beta of HttpClient 4.3? > It is quite stable for a BETA ;-) If you app is to go productive in a few months I would strongly recommend migrating to 4.3 already. 4.3 GA can be expected by mid Summer. Oleg > Thanks > > Chris > > > > > On Fri, May 17, 2013 at 3:52 AM, Oleg Kalnichevski <[email protected]> wrote: > > > On Wed, 2013-05-15 at 11:53 -0400, Chris Cheshire wrote: > > > I have a single server configured hosting 3 domains, A.com, B.com, C.com, > > > all with their own SSL certificates. Accessing these domains via a > > browser > > > and SSL all works just fine. > > > > > > However, the web app on B needs to process a callback from C over SSL. B > > > has a wildcard certificate for *.B.com, and the production site is just > > > B.com. My testing sandbox is at X.B.com. Both work fine with the > > wildcard > > > certificate in a browser. > > > > > > To send the callback I am using HttpClient 4.2.3 : > > > > > > HttpClient httpClient = new DefaultHttpClient(); > > > > > > httpClient.getParams().setParameter(CoreConnectionPNames.SO_TIMEOUT, > > 30000); > > > > > > > > httpClient.getParams().setParameter(CoreConnectionPNames.CONNECTION_TIMEOUT, > > > 30000); > > > > > > try { > > > URIBuilder builder = new URIBuilder(new URI(" > > > https://X.B.com/path)); > > > URI uri = builder.build(); > > > HttpGet get = new HttpGet(uri); > > > get.addHeader("User-Agent", "Mozilla/5.0"); > > > > > > HttpResponse response = httpClient.execute(get); > > > int statusCode = response.getStatusLine().getStatusCode(); > > > > > > if (statusCode == HttpServletResponse.SC_OK) { > > > > > > } > > > else { > > > > > > } > > > } > > > catch (IOException ex) { > > > this.log.error("error", ex); > > > } > > > catch (URISyntaxException ex) { > > > this.log.error("error", ex); > > > } > > > finally { > > > httpClient.getConnectionManager().shutdown(); > > > } > > > > > > > > > However, this throws the following exception : > > > > > > javax.net.ssl.SSLException: hostname in certificate didn't match: < > > X.B.com> > > > != <www.A.com> OR <www.A.com> OR <A.com> > > > > > > at > > > > > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227) > > > ~[httpclient-4.2.3.jar:4.2.3] > > > > > > > > > I even tried setting the Host header manually to "X.B.com" and it still > > > didn't help (even though the docs say that this is set based upon the URI > > > provided to HttpClient). > > > > > > > > > What do I need to do to make the client negotiate the SSL connection for > > > the correct host so that the correct SSL certificate is matched up? > > Again, > > > the wildcard certificate works just fine in a browser for both B.com and > > > X.B.com, but not for HttpClient. > > > > > > > I suspect this is due to SNI extensions [1] that are supported by the > > browser but are not fully supported by Java. > > > > If your application is running on Oracle Java 1.7 you can activate SNI > > support as described here [2]. > > > > Please note the code snippet in the Wiki page is written using > > HttpClient 4.3 APIs but a similar technique can be used with earlier > > versions of HttpClient. > > > > Oleg > > > > [1] http://en.wikipedia.org/wiki/Server_Name_Indication > > [2] https://wiki.apache.org/HttpComponents/SNISupport > > > > > > > > Thanks > > > > > > > > > Chris > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
