SSL handshake alert: unrecognized_name error since upgrade to Java 1.7.0

前端 未结 17 2820
栀梦
栀梦 2020-11-22 06:35

I upgraded from Java 1.6 to Java 1.7 today. Since then an error occur when I try to establish a connection to my webserver over SSL:

javax.net.ssl.SSLProtoco         


        
相关标签:
17条回答
  • 2020-11-22 07:08

    Here is solution for Appache httpclient 4.5.11. I had problem with cert which has subject wildcarded *.hostname.com. It returned me same exception, but I musn't use disabling by property System.setProperty("jsse.enableSNIExtension", "false"); because it made error in Google location client.

    I found simple solution (only modifying socket):

    import io.micronaut.context.annotation.Bean;
    import io.micronaut.context.annotation.Factory;
    import org.apache.http.client.HttpClient;
    import org.apache.http.conn.ssl.NoopHostnameVerifier;
    import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
    import org.apache.http.impl.client.HttpClients;
    import org.apache.http.ssl.SSLContexts;
    
    import javax.inject.Named;
    import javax.net.ssl.SSLParameters;
    import javax.net.ssl.SSLSocket;
    import java.io.IOException;
    import java.util.List;
    
    @Factory
    public class BeanFactory {
    
        @Bean
        @Named("without_verify")
        public HttpClient provideHttpClient() {
            SSLConnectionSocketFactory connectionSocketFactory = new SSLConnectionSocketFactory(SSLContexts.createDefault(), NoopHostnameVerifier.INSTANCE) {
                @Override
                protected void prepareSocket(SSLSocket socket) throws IOException {
                    SSLParameters parameters = socket.getSSLParameters();
                    parameters.setServerNames(List.of());
                    socket.setSSLParameters(parameters);
                    super.prepareSocket(socket);
                }
            };
    
            return HttpClients.custom()
                    .setSSLSocketFactory(connectionSocketFactory)
                    .build();
        }
    
    
    }
    
    0 讨论(0)
  • 2020-11-22 07:09

    You cannot supply system properties to the jarsigner.exe tool, unfortunately.

    I have submitted defect 7177232, referencing @eckes' defect 7127374 and explaining why it was closed in error.

    My defect is specifically about the impact on the jarsigner tool, but perhaps it will lead them to reopening the other defect and addressing the issue properly.

    UPDATE: Actually, it turns out that you CAN supply system properties to the Jarsigner tool, it's just not in the help message. Use jarsigner -J-Djsse.enableSNIExtension=false

    0 讨论(0)
  • 2020-11-22 07:10

    Ran into this issue with spring boot and jvm 1.7 and 1.8. On AWS, we did not have the option to change the ServerName and ServerAlias to match (they are different) so we did the following:

    In build.gradle we added the following:

    System.setProperty("jsse.enableSNIExtension", "false")
    bootRun.systemProperties = System.properties
    

    That allowed us to bypass the issue with the "Unrecognized Name".

    0 讨论(0)
  • 2020-11-22 07:11

    Just to add a solution here. This might help for LAMP users

    Options +FollowSymLinks -SymLinksIfOwnerMatch
    

    The above mentioned line in the virtual host configuration was the culprit.

    Virtual Host Configuration when error

    <VirtualHost *:80>
        DocumentRoot /var/www/html/load/web
        ServerName dev.load.com
        <Directory "/var/www/html/load/web">
            Options +FollowSymLinks -SymLinksIfOwnerMatch
            AllowOverride All
            Require all granted
            Order Allow,Deny
            Allow from All
        </Directory>
         RewriteEngine on
         RewriteCond %{SERVER_PORT} !^443$
         RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]
    </VirtualHost>
    

    Working Configuration

    <VirtualHost *:80>
        DocumentRoot /var/www/html/load/web
    
       ServerName dev.load.com
       <Directory "/var/www/html/load/web">
    
            AllowOverride All
    
            Options All
    
            Order Allow,Deny
    
            Allow from All
    
        </Directory>
    
        # To allow authorization header
        RewriteEngine On
        RewriteCond %{HTTP:Authorization} ^(.*)
        RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
    
       # RewriteCond %{SERVER_PORT} !^443$
       # RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]
    
    
    </VirtualHost>
    
    0 讨论(0)
  • 2020-11-22 07:13

    I had what I believe the same issue is. I found that I needed to adjust the Apache configuration to include a ServerName or ServerAlias for the host.

    This code failed:

    public class a {
       public static void main(String [] a) throws Exception {
          java.net.URLConnection c = new java.net.URL("https://mydomain.com/").openConnection();
          c.setDoOutput(true);
          c.getOutputStream();
       }
    }
    

    And this code worked:

    public class a {
       public static void main(String [] a) throws Exception {
          java.net.URLConnection c = new java.net.URL("https://google.com/").openConnection();
          c.setDoOutput(true);
          c.getOutputStream();
       }
    }
    

    Wireshark revealed that during the TSL/SSL Hello the warning Alert (Level: Warning, Description: Unrecognized Name), Server Hello Was being sent from the server to the client. It was only a warning, however, Java 7.1 then responded immediately back with a "Fatal, Description: Unexpected Message", which I assume means the Java SSL libraries don't like to see the warning of unrecognized name.

    From the Wiki on Transport Layer Security (TLS):

    112 Unrecognized name warning TLS only; client's Server Name Indicator specified a hostname not supported by the server

    This led me to look at my Apache config files and I found that if I added a ServerName or ServerAlias for the name sent from the client/java side, it worked correctly without any errors.

    <VirtualHost mydomain.com:443>
      ServerName mydomain.com
      ServerAlias www.mydomain.com
    
    0 讨论(0)
  • 2020-11-22 07:14

    There is an easier way where you can just use your own HostnameVerifier to implicitly trust certain connections. The issue comes with Java 1.7 where SNI extensions have been added and your error is due to a server misconfiguration.

    You can either use "-Djsse.enableSNIExtension=false" to disable SNI across the whole JVM or read my blog where I explain how to implement a custom verifier on top of a URL connection.

    0 讨论(0)
提交回复
热议问题