I am facing a weird issue wrto Apache HTTPS client. I am trying to connect to an external HTTPS website which has basic authentication turned on (SSL server authenticaion only). Here is the summary of my tests and conclusions.
Use a either of Chrome/Firefox/IE to connect to the website -> success
Use
javax.net.ssl.HttpsURLConnection-> successUse either of
DefaultHttpClientorSystemDefaultHttpClient-> failure
I tried to debug by enabling "javax.net.debug" to "ssl". I noticed that both the clients pick up the same trust store (default JDK trust store) and use the same protocol (TLSv1). However, the differences were here
I noticed that the following extension was returned by the JDK
Extension server_name, server_name: [host_name: websitehostname]
while the above extension was missing in the Apache web client debug log.
Also, one more difference I saw was in the certficate chain
The below response from JDK native
* Certificate chain chain [0] = [ [ Version: V3 Subject: **CN=websitename, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)13, OU=GT17702541, SERIALNUMBER=Q2La1fpFlFdNy4kUCIehYlMvw6bq64Ch Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
while in apache client the following
chain [0] = [ [ Version: V3 Subject: EMAILADDRESS=root@i4319, CN=i4319, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=-- Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
and obviously I get the following exception with apache https client.
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Before I go back and redo my work to use the JDK native client, I would like to know what is happening. Any insight on this behaviour would be appreciated.
