Apache HTTPClient SSLPeerUnverifiedException

Question

Using Apache HttpClient 4.2.1. Using code copied from the form based login example

http://hc.apache.org/httpcomponents-client-ga/examples.html

I get an exception when accessing an SSL protected login form:

Getting library items from https://appserver.gtportalbase.com/agileBase/AppController.servlet?return=blank
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Closing http connection
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)

The certificate as far as I can tell is fine (see the URL before the stack trace), not expired - browsers don't complain.

I've tried importing the certificate into my keystore a la

How to handle invalid SSL certificates with Apache HttpClient?

with no change. I believe you can create a custom SSLContext to force Java to ignore the error but I'd rather fix the root cause as I don't want to open up any security holes.

Any ideas?

score 24 · Accepted Answer · edited May 23 '17 at 12:02

EDIT I realise this answer was accepted a long time ago and has also been upvoted 3 times, but it was (at least partly) incorrect, so here is a bit more about this exception. Apologies for the inconvenience.

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

This is usually an exception thrown when the remote server didn't send a certificate at all. However, there is an edge case, which is encountered when using Apache HTTP Client, because of the way it was implemented in this version, and because of the way sun.security. ssl.SSLSocketImpl.getSession() is implemented.

When using Apache HTTP Client, this exception will also be thrown when the remote certificate isn't trusted, which would more often throw "sun.security.validator.ValidatorException: PKIX path building failed".

The reasons this happens is because Apache HTTP Client tries to get the SSLSession and the peer certificate before doing anything else.

Just as a reminder, there are 3 ways of initiating the handshake with an SSLSocket:

calling startHandshake which explicitly begins handshakes, or

any attempt to read or write application data on this socket causes an implicit handshake, or

a call to getSession tries to set up a session if there is no currently valid session, and an implicit handshake is done.

Here are 3 examples, all against a host with a certificate that isn't trusted (using javax.net.ssl.SSLSocketFactory, not the Apache one).

Example 1:

    SSLSocketFactory ssf = (SSLSocketFactory) sslContext.getSocketFactory();
    SSLSocket sslSocket = (SSLSocket) ssf.createSocket("untrusted.host.example",
            443);
    sslSocket.startHandshake();

This throws "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed" (as expected).

Example 2:

    SSLSocketFactory ssf = (SSLSocketFactory) sslContext.getSocketFactory();
    SSLSocket sslSocket = (SSLSocket) ssf.createSocket("untrusted.host.example",
            443);
    sslSocket.getInputStream().read();

This also throws "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed" (as expected).

Example 3:

    SSLSocketFactory ssf = (SSLSocketFactory) sslContext.getSocketFactory();
    SSLSocket sslSocket = (SSLSocket) ssf.createSocket("untrusted.host.example",
            443);
    SSLSession sslSession = sslSocket.getSession();
    sslSession.getPeerCertificates();

This, however, throws javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.

This is the logic implemented in Apache HTTP Client's AbstractVerifier used by its org.apache.http.conn.ssl.SSLSocketFactory in version 4.2.1. Later versions make an explicit call to startHandshake(), based on reports in issue HTTPCLIENT-1346.

This ultimately seems to come from the implementation of sun.security. ssl.SSLSocketImpl.getSession(), which catches potential IOExceptions thrown when calling startHandshake(false) (internal method), without throwing it further. This might be a bug, although this shouldn't have a massive security impact, since the SSLSocket will still be closed anyway.

Example 4:

    SSLSocketFactory ssf = (SSLSocketFactory) sslContext.getSocketFactory();
    SSLSocket sslSocket = (SSLSocket) ssf.createSocket("untrusted.host.example",
            443);
    SSLSession sslSession = sslSocket.getSession();
    // sslSession.getPeerCertificates();
    sslSocket.getInputStream().read();

Thankfully, this will still throw "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed", whenever you actually try to use that SSLSocket (no loophole there by getting the session without getting the peer certificate).

How to fix this

Like any other issue with certificates that are not trusted, it's a matter of making sure the trust store you're using contains the necessary trust anchors (i.e. the CA certificates that issued the chain you're trying to verify, or possibly the actual server certificate for exceptional cases).

To fix this, you should import the CA certificate (or possibly the server certificate itself) into your trust store. You can do this:

in your JRE trust store, usually the cacerts file (that's not necessarily the best, because that would affect all applications using that JRE),
in a local copy of your trust store (which you can configure using the -Djavax.net.ssl.trustStore=... options),
by creating a specific SSLContext for that connection (as described in this answer). (Some suggest to use a trust manager that does nothing, but this would make your connection vulnerable to MITM attacks.)

Initial answer

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

This has nothing to do with trusting certificates or you having to create a custom SSLContext: this is due to the fact that the server isn't sending any certificate at all.

This server is visibly not configured to support TLS properly. This fails (you won't get a remote certificate):

openssl s_client -tls1 -showcerts -connect appserver.gtportalbase.com:443

However, SSLv3 seems to work:

openssl s_client -ssl3 -showcerts -connect appserver.gtportalbase.com:443

If you know who's running this server, it would be worth contacting them to fix this problem. Servers should really support TLSv1 at least nowadays.

Meanwhile, one way to fix this problem would be to create your own org.apache.http.conn.ssl.SSLSocketFactory and use it for this connection with Apache Http client.

This factory would need to create an SSLSocket as usual, use sslSocket.setEnabledProtocols(new String[] {"SSLv3"}); before returning that socket, to disable TLS, which would otherwise be enabled by default.

Hmm, I get a remote certificate with both. Will try from a few different clients — Oliver Kohll, Aug 23 '12 at 20:45
From OSX, both work, from Linux, only ssl3. Will look into server config. — Oliver Kohll, Aug 23 '12 at 20:49
This could have something to do with the cipher suites. On your OSX client, does `openssl ciphers DEFAULT` have the same cipher suites as on your Linux client? Some that would be in the OSX list but not on Linux? — Bruno, Aug 23 '12 at 20:55
OK, I got it to work by manually creating a trust manager like http://priyanka-tyagi.blogspot.co.uk/2011/08/how-did-i-setup-ssl-with-httpclient-412.html Seems to work with both TLS and SSLv3. Not sure what to do with this answer. It seems reasonable and may be an alternative but is untested. I'm marking accepted to give the benefit of the doubt, if there's any reason why I shouldn't, let me know — Oliver Kohll, Aug 23 '12 at 22:37
@OliverKohll That trust manager just implements the default behavior, which is to use the trust store in the JRE. If you want to use a different trust store, just set -Djavax.net.ssl.trustStore=xxx. You don't need the code. — user207421, Aug 23 '12 at 22:54
Using that trust manager shouldn't change anything. Note that using `TLS` or `SSLv3` when initialising an `SSLContext` isn't what controls the protocol (in case that's what you've used). You server still has problems with some cipher suites. I'd say `ECDHE-RSA-AES256-SHA` is the one to blame, since `openssl s_client -tls1 -connect appserver.gtportalbase.com:443 -cipher 'DEFAULT:!ECDHE-RSA-AES256-SHA'` works (of course it depends on your default list). Did you change from Java 6 and 7 between your tests (since the preference order isn't the same)? — Bruno, Aug 23 '12 at 23:11
No, theoretically Java 7 is default but there are multiple versions on the machine (latest Oracle Java 7 a few days ago). I'll check out the cipher, thanks for the note. — Oliver Kohll, Aug 23 '12 at 23:42

score 0 · Answer 2 · answered Aug 23 '12 at 16:27

0

Create a custom context so you can log why the cert is invalid. Or just debug into it.

answered Aug 23 '12 at 16:27

David Roussel

5,788
1
30
35

Apache HTTPClient SSLPeerUnverifiedException

2 Answers2

Linked

Related