tags:

views:

74

answers:

1
+1  Q: 

SSLException when server cert uses SAN (Subject Alternative Name)

I'm trying to establish a https connection using the classes in org.apache.http.*. As part of my setup, I'm using the BrowserCompatHostnameVerifier() class which states:

The hostname must match either the first CN, or any of the subject-alts. A wildcard can occur in the CN, and in any of the subject-alts.

When I hit a server who's hostname doesn't match that which is specified in the CN but does match one of the entries in the subject-alts, I get the following exception:

javax.net.ssl.SSLException: hostname in certificate didn't match: <mtvniph1-f.akamaihd.net> != <a248.e.akamai.net>
     at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:222)
     at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
     at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:151)
     at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:132)
     at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:321)

Here's the relevant code block that's causing this error:

DefaultHttpClient seed = new DefaultHttpClient();
SchemeRegistry registry = new SchemeRegistry();

SSLSocketFactory ssf = SSLSocketFactory.getSocketFactory();

// XXX: This verifier isn't working with Subject Alternative Names
ssf.setHostnameVerifier(new BrowserCompatHostnameVerifier());

registry.register(new Scheme("https", ssf, 443));

SingleClientConnManager mgr = new SingleClientConnManager(seed.getParams(), registry);
DefaultHttpClient http = new DefaultHttpClient(mgr, seed.getParams());

// Config point, change to your preference
String url = "https://mtvniph1-f.akamaihd.net/e3_ubisoft_prod0.m3u8";

HttpGet method = new HttpGet(url);

HttpResponse response = null;
try
{
    response = http.execute(method);
}
catch (Exception e)
{
    Log.e(TAG, "Request failed", e);
}

Compare this behavior and that when you replace the url with "https://www.google.com". I can work around this by creating my own X509HostnameVerifier, but I want to know if this is a valid bug in BrowserCompatHostnameVerifier or if I'm doing something wrong.

Anyone else having similar issues?

A: 

According to trunk AbstractVerifier.java, it isn't picking up your subjectAltName (it lists all the names it finds in the exception). openssl s_client -connect mtvniph1-f.akamaihd.net:443 -showcerts suggests it's not a problem with the certificate.

tc.  2010-08-18 13:26:15

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL