0

I am trying to access the Bristol Open Data portal using the Apache HttpClient library but I am getting a hostname mismatch with the certificate. Sample code is given below. I can't figure out what the problem is.

DefaultHttpClient client = new DefaultHttpClient();

HttpGet request = new HttpGet("https://opendata.bristol.gov.uk/resource/c2c2-hpww.json");
request.setHeader("X-App-Token","my-token");
HttpResponse response = client.execute(request);

BufferedReader reader = new BufferedReader( new InputStreamReader( response.getEntity().getContent() ) );
String line = reader.readLine();
while (line != null) {
    System.out.println(line);
    line = reader.readLine();
}

This code produces the following output:

Exception in thread "main" javax.net.ssl.SSLException: hostname in certificate didn't match: <opendata.bristol.gov.uk> != <*.api.eu.socrata.com> OR <*.api.eu.socrata.com> OR <api.eu.socrata.com>
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
    at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:147)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:437)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
    at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
    at RESTTest.main(RESTTest.java:17)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)

The debug output -Djavax.net.debug=all can be found at http://pastebin.com/WNFjbSTZ

K G
  • 1,715
  • 6
  • 21
  • 29
  • What hostname does it claim is set by the certificate? Chrome looks pretty happy with the cert, but I'm having our security team take a look. Also, are you connecting from behind a proxy? – chrismetcalf Jul 14 '16 at 18:45
  • What version of the JDK are you using? It looks like your client will need to support SNI for that domain, and it looks like you'd need Java 1.7 or higher: https://stackoverflow.com/questions/25854543/how-to-enable-sni-in-http-request-using-apache-httpcomponents-httpclient – chrismetcalf Jul 14 '16 at 18:49
  • @chrismetcalf I should have added the output before. Sorry. My bad. I am not connecting from behind a proxy. – K G Jul 15 '16 at 02:20
  • I am using JDK 8. It sounds like SNI should already be supported by it. – K G Jul 15 '16 at 02:27
  • @chrismetcalf added debug output for `-Djavax.net.debug=all` as well now. – K G Jul 15 '16 at 12:05
  • Yep, that definitely looks like a hostname mismatch error. I'll follow up with our security team again, I wonder if something is misconfigured. – chrismetcalf Jul 15 '16 at 20:48
  • It looks like `DefaultHttpClient` is deprecated, and you should use `HttpClientBuilder` instead: https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/impl/client/DefaultHttpClient.html, https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/impl/client/HttpClientBuilder.html – chrismetcalf Jul 15 '16 at 21:04
  • @chrismetcalf thanks for that. So I'm actually using HttpClient 4.2.5, mainly because another library I'm using requires it as a dependency. HttpClientBuilder does not exist in 4.2.5. Is that the reason? – K G Jul 16 '16 at 03:12
  • Hmm. Looks like SNI support was added in `HttpClient` 4.2.3, so you're _probably_ OK, assuming you really are using Java 1.7+ and SNI isn't turned off somehow: https://github.com/apache/httpclient/blob/trunk/RELEASE_NOTES.txt#L436 – chrismetcalf Jul 18 '16 at 19:04

0 Answers0