4

This is the exception that I'm having

Host name 'bla bla bla.com' does not match the certificate subject provided by the peer (CN=*.bla bla bla.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated)

I already saw this question:

Ignoring SSL certificate in Apache HttpClient 4.3

and I did as it suggests, but it didn't work. I have seen many question related to the problem but they are all deprecated.

This is my code:

SSLContextBuilder builder = new SSLContextBuilder();
builder.loadTrustMaterial(null, new TrustSelfSignedStrategy());
SSLConnectionSocketFactory sslsf =
    new SSLConnectionSocketFactory(builder.build());
CloseableHttpClient httpclient =
    HttpClients.custom().setSSLSocketFactory(sslsf).build();
HttpGet httpGet = new HttpGet("https://b.blablabla.com");
CloseableHttpResponse response1 = httpclient.execute(httpGet);
try {
    System.out.println(response1.getStatusLine());
    HttpEntity entity1 = response1.getEntity();
    // do something useful with the response body
    // and ensure it is fully consumed
    EntityUtils.consume(entity1);
} finally {
    response1.close();
}

How can I bypass this certificate thing? This is just for testing; it is not a real production environment.

frasertweedale
  • 5,424
  • 3
  • 26
  • 38
Ania David
  • 1,168
  • 1
  • 15
  • 36
  • Shouldnt it be `new HttpGet("https://blablanla.com")`? – Tamas Hegedus Apr 23 '16 at 12:18
  • @TamasHegedus actually it is, i just was hiding the actual domain name. Typo, corrected now – Ania David Apr 23 '16 at 12:21
  • 1
    The server answered with a subdomain cert, requesting `https://x.blablabla.com` may help – Tamas Hegedus Apr 23 '16 at 12:23
  • @TamasHegedus sorry I didn't get your last comment. could you descipe more ? – Ania David Apr 23 '16 at 12:29
  • The certificate the server answered with is a wildcard certificate, `*.blabla.com`. That cert is not valid for the `blabla.com` domain, only its subdomains. Try sending a request to a subdomain: `new HttpGet("https://x.blahblahblah.com")` – Tamas Hegedus Apr 23 '16 at 12:38
  • @TamasHegedus my friend, bla bla bla means i was hiding the actual domain, in my real code, i do request the sub domain like this( bla bla *.* bla bla bla bla) if you can help me, i really appreciate it, – Ania David Apr 23 '16 at 12:42
  • I do understand that blabla is just a placeholder. 1: That does not authorize you to post malformed urls like `http: bla bla bla .com`. How do we know that your actual url is well-formed? And how do we know that you are trying to access a subdomain or not? You stripped relevant information from your code and did not even try to replace it with something helpful. – Tamas Hegedus Apr 23 '16 at 12:49
  • See if this link helps http://stackoverflow.com/questions/34655031/javax-net-ssl-sslpeerunverifiedexception-host-name-does-not-match-the-certifica – Madhusudana Reddy Sunnapu Apr 23 '16 at 12:56
  • @TamasHegedus i corrected the url now, hope that could help – Ania David Apr 23 '16 at 13:55
  • What about the error message? Why doesn't the wildcard match the requested domain? – Tamas Hegedus Apr 23 '16 at 14:05
  • @TamasHegedus sorry I didn't get you, are you implying to edit the question and put `blablabla` instead of `bla bla bla` in the error message ?! – Ania David Apr 23 '16 at 14:07
  • No, that's not the point. I am trying to understand what's happening. For example: requesting `"example.com"` but getting a response cert for `"*.example.com"` or requesting "sub.example.com", getting a response cert valid for `"*.example.com"` (it this case there shouldnt be an error), or requesting `"sub.szilbasbukta.com"` and getting cert `"*.example.com"` back. (this implies serious misconfiguration). That's what I ask. – Tamas Hegedus Apr 23 '16 at 14:15
  • But maybe I misunderstood you and you do not want an actual solution, just ignore the ssl error. In this case all my questions are irrelevant. Is that the case? If so, please change the question accordingly. – Tamas Hegedus Apr 23 '16 at 14:17
  • see this http://stackoverflow.com/questions/2703161/how-to-ignore-ssl-certificate-errors-in-apache-httpclient-4-0 – Tamas Hegedus Apr 23 '16 at 14:28
  • Wow! Real issue that CN with wildcard (CN=*.example.com) is considered invalid. I think if wildcard is placed in Subject Alternative Name field then it is OK, but if it is not your site - then it is bad. For example github-cloud.s3.amazonaws.com has certificate with CN=*.s3.amazonaws.com - so requests to any S3 resources will fail. – Denis Kalinin Jul 08 '16 at 10:19

1 Answers1

1

Beside localhost you can add own custom hostnames to your development-machine. Use the C:/windows/system32/etc/hosts to add the hostname anjadavid.blablabla.com in example.

Now open your browser and go to https://anjadavid.blablabla.com and the error disappears.

Grim
  • 1,938
  • 10
  • 56
  • 123