0

I am trying to access a website from my code using HttpClient :

CloseableHttpClient httpclient = HttpClients.createDefault();

HttpGet httpget = new HttpGet("https://www.datamed.org/search.php?query=gene&searchtype=data");

ResponseHandler<String> responseHandler = new BasicResponseHandler();
String responseBody = httpclient.execute(httpget, responseHandler);

This is the error i am getting :

Exception in thread "main" javax.net.ssl.SSLException: hostname in certificate didn't match: <www.datamed.org> != <ucrexdc.ucsd.edu> OR <ucrexdc.ucsd.edu>

I checked the certificate from browser, it seems correct, with correct names. Not sure from where it is picking up ucrexdc.ucsd.edu .

The code does work if I use a proxy. Gone through a lot of similar issues on StackOverflow, but in most cases the server was under user's control. In my case, this is an already existing website. and i have this problem only for this website.

Can it be a problem with my environment?

UPDATE:

I found out that both the websites (datamed.org and ucrexdc.ucsd.edu) have the same IP , 169.228.51.21 . Can it be a problem, why doesn't the browser have issues with this?

UPDATE 2:

I was using apache http-client 4.3.1,
When i updated to 4.4.1, it was resolved. the issue was most possibly related to SNI.

gaurav5430
  • 12,934
  • 6
  • 54
  • 111
  • this might help http://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https – Naman Dec 08 '16 at 05:44
  • have seen, it suggests a workaround, which shouldn't be used in prod code. moreover i also want to know what is causing this to happen – gaurav5430 Dec 08 '16 at 05:48
  • @ScaryWombat new to this, did not see any Keystore code in the examples. I am able to connect to google.com without any keystore thoguh. also, datamed.org is not on my server. – gaurav5430 Dec 08 '16 at 05:55
  • 1
    The browser works because it supports SNI (https://en.wikipedia.org/wiki/Server_Name_Indication). Which version of Java are you using? – msbit Dec 08 '16 at 06:29
  • @msbit i am using Java 1.8 – gaurav5430 Dec 08 '16 at 06:31
  • Hmm, well SNI has been supported since Java 1.7, so it's likely something else. – msbit Dec 08 '16 at 06:32
  • @msbit ohk, any ideas why it works with a proxy? – gaurav5430 Dec 08 '16 at 06:34
  • Not sure, could be related in as much as the proxy only hosts the one site via SSL, so something like SNI isn't required for contacting it. – msbit Dec 08 '16 at 06:36
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/130073/discussion-between-msbit-and-gaurav5430). – msbit Dec 08 '16 at 06:45

1 Answers1

0

HttpClient provides two implementations for Hostname verification.

  1. DefaultHostnameVerifier
  2. NoopHostnameVerifier

by default HttpClient uses DefaultHostnameVerifier implementation. You can try the different hostname verifier implementation.

SSLContext sslContext = SSLContexts.createSystemDefault();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext,  NoopHostnameVerifier.INSTANCE);
HttpClient httpClient = HttpClientBuilder.create().setSSLSocketFactory(sslsf).build();
Ravi
  • 124
  • 3
  • 12
  • DO NOT ever do this in production code. I have encountered too many situations where something like this has been left in. This is BEGGING for a hijack or attack. Learn how TLS works and how certificates are involved DO NOT DO THIS. – Dave G Jan 06 '17 at 08:54
  • @DaveG Thanks for information Dave. Do you know good documentation for TLS. – Ravi Jan 20 '17 at 10:14
  • This is probably a good starting point https://www.sans.org/reading-room/whitepapers/protocols/ssl-tls-beginners-guide-1029. There are a significant number of resources available to you on this subject. I would pose a stackoverflow question. You may be prompted with other similar or exact questions. – Dave G Jan 20 '17 at 11:41