HttpsUrlConnection and SSL Hostname Verification.

Ever visit a site where the SSL certificate doesn’t quite match the Fully Qualified Domain Name (FQDN) of that site? Nowadays firefox will simply refuse to take you there unless you add an exception for that site. Even high profile sites like Google Adsense is effected by this.

What happens when you try to retrieve a page on such a site using an HttpsUrlConnection ? you end up with a SSLHandshakeException But what you don’t mind the host name mismatch? you know that the certificate does belong to the organization that owns the particular website, you are only using SSL because you don’t want anyone to sniff your username or password. What you can do then is to replace the default HostnameVerifier with one of your own:

        HttpsURLConnection.setDefaultHostnameVerifier(
            new HostnameVerifier() {

                    public boolean verify(String hostbname, SSLSession sess)
                    {
                        System.out.println("HostName = "  +arg0);
                        return true;
                    }
                }
            );

This bit of code will accept any SSL certificate from any SSL site. Because we have used the static setDefaultHostnameVerifier method, all subsequent HttpsUrlConnection instances you use will inherit this behavior. Ideally, what you should really do is to save the default HostnameVerifier and then do the replacement. That way you can pass processing to that instance for all but the domain that causes the exception.

Finally here is an example of the kind of stack trace that you are likely to see when wild card ssl certificates run wild:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching images.raditha.com.s3.amazonaws.com found
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1026)
        at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:373)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:318)
        at com.amazon.s3.ListBucketResponse.(ListBucketResponse.java:85)
        at com.amazon.s3.AWSAuthConnection.listBucket(AWSAuthConnection.java:190)
        at com.amazon.s3.AWSAuthConnection.listBucket(AWSAuthConnection.java:169)
        at LearnS3.listBucketContents(LearnS3.java:54)
        at LearnS3.main(LearnS3.java:43)

This particular stack trace was seeing with the Amazon S3 reference implementation for Java. Their solution is to suggest that you switch off SSL.

Feb 12th, 2009 | Posted in Java
Tags:
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>