2

I have three issues when I use okhttp to get content from these web sites:

  1. http://www.wp.com has error with: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  2. http://www.macys.com has error with: java.net.ProtocolException: Too many follow-up requests: 21

  3. http://www.vk.me has error with: javax.net.ssl.SSLPeerUnverifiedException: Hostname www.vk.me not verified: certificate: sha256/Sx09coMBYByu6GDlS0E6daYLDVLydbmJjFNkTANfSg4= DN: CN=.vk.com, OU=Domain Control Validated subjectAltNames: [.vk.com, vk.com]

UPDATED at 2016/06/12:

  1. http://www.wordpress.com has error with: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

How to fix above issues 1-4? thanks all!

Andy Chan
  • 277
  • 5
  • 16

2 Answers2

2

Given that the sites have not been compromised:

(1) You are missing the root-CA certificate in your trusted store. This can happen, if the CA used by the website is not delivered with the jdk. You need to manually add it in the trusted store using keytool.

(2) I researched the error and found, that this is thrown by okhttp client, if it receives more than 20 redirect requests. My source is this: https://github.com/square/retrofit/issues/1561

Update: I just did a browser load page trace for macys.com. Impressive, you should give yourself the experience :-) The redirects are the normal load behavior of the page, the font is redirected zillions of times.

OkHTTP implements the max redirect value of 20 as a hardcoded value. https://github.com/square/okhttp/blob/master/okhttp/src/main/java/okhttp3/internal/http/HttpEngine.java (line 91)

(3) The domain name in the certificate does not match the certificate presented. This is a common error on multihomed pages.

To fix (1), besides adding the CA, you could implement the Java SSL certificate path validator as described here http://docs.oracle.com/javase/7/docs/technotes/guides/security/certpath/CertPathProgGuide.html#ValidationClasses

To fix (3) you need to implement a TrustManager as described here SSL Certificate Verification in Java

Community
  • 1
  • 1
thst
  • 4,592
  • 1
  • 26
  • 40
1

For your 3rd issue, you can try the following

private HostnameVerifier getHostnameVerifier() {
    return new HostnameVerifier() {
        @Override
        public boolean verify(String hostname, SSLSession session) {            
            HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier();
            return hv.verify(".vk.com", session);
        }
    };
}

then

OkHttpClient client = new OkHttpClient.Builder()        
        .hostnameVerifier(getHostnameVerifier())
        .build();
BNK
  • 23,994
  • 8
  • 77
  • 87
  • In fact, if it does not know what web site domain name, how can I do it?The program is to monitor web sites according to user's requirements, and domain name is not only "www.vk.com", but also other web site, how can ignore them together? – Andy Chan Jun 11 '16 at 18:05
  • Of course, I know if always return true, it will be security issues, another way to fix it, any other solution? – Andy Chan Jun 11 '16 at 18:17
  • So no other solution? just always return true for accept all cert.? – Andy Chan Jun 12 '16 at 01:09
  • 1
    Sure, you can implement any complexity in host checking you find suitable. you could add a regex in your config that must match the cert CN. You can have a database of bad certs with hostnames that are ok. It depends on the effort you are willing to invest. – thst Jun 12 '16 at 07:20