0

When I send https request to bluemix service I have an exception:

javax.net.ssl.SSLHandshakeException: Received fatal alert: unrecognized_name at com.ibm.jsse2.o.a(o.java:8) at com.ibm.jsse2.o.a(o.java:4) at com.ibm.jsse2.SSLSocketImpl.b(SSLSocketImpl.java:40) at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:554) at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:223) at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:724) at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:81) at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:8) at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:20) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1207) at com.ibm.net.ssl.www2.protocol.https.b.getInputStream(b.java:15) at com.ibm.denisTeam.Main.NotesMain(Main.java:32) at lotus.domino.AgentBase.runNotes(Unknown Source) at lotus.domino.NotesThread.run(Unknown Source)

Does somebody know how to solve that exception?

I make request with the following code:

URL url = new URL(HOST);

HttpURLConnection con = (HttpURLConnection) url.openConnection();

Alexander
  • 45
  • 6

2 Answers2

0

An SSLHandshakeExcpetion occurs when the client (in this case, the client is the JVM in the Domino server where your agent is running) and the server (Bluemix) don't have a secure connection protocol and cipher in common. What version of the Domino server are you running?

My best guess is that Bluemix is probably not accepting SSL3 or TLSv1.0 protocols anymore due to known security issues in those protocols, but the JVM on your Domino server does not support TLSv1.1 or v1.2. (It's only a guess, but a lot of services are doing this.)

There's some information about getting TLSv1.2 working in outbound connections from Java agents in this IBM Technote, but I think it is specific to Domino 9. If you're on an earlier version, then you may have to search around a bit to find the right info for your version. Be careful in your searching, though, because a lot of the sources of information about TLS support and Domino only cover configuring Domino's services to accept inbound connections, and that won't help you with issues related to the JVM making outbound connections.

Richard Schwartz
  • 14,463
  • 2
  • 23
  • 41
  • I have 9.0.1 with FP 7 – Alexander Feb 08 '17 at 06:23
  • It that case, it seems like the technote information might help you, but perhaps before jumping to setting https.protocols=TLSv1, you should first set javax.net.debug=all in the jvmOptions.txt file and examine the detailed output to determine what protocols are being tried. This article has a good summary of the type of info you should see: https://dzone.com/articles/how-analyze-java-ssl-errors – Richard Schwartz Feb 08 '17 at 13:30
  • If I correctly understand problem. Bluemix have auto SSL support. Domino doesn't trust to the auto certificate and it doesn't create a cross certificate. But I don't know how to solve this problem. – Alexander Feb 08 '17 at 13:58
  • I don't quite know what you mean bu "auto SSL support", but if the debug output is indicating that Domino is not trusting the certificate from Bluemix, then you need to import a trusted root certificate from somewhere in the chain that signed the Bluemix certificate into the Domino JVM. This technote covers how to do that (but it's for Domino 8.5, so you may need to check with IBM to see if it still applies for Domino 9.) http://www-01.ibm.com/support/docview.wss?uid=swg21588966 – Richard Schwartz Feb 08 '17 at 14:24
  • I think it's not an untrusted exception. Because all solutions with it I've already tried. It's something different. – Alexander Feb 09 '17 at 09:43
  • Hmmm... I hadn't looked at it closely enough. You're getting "unrecognized_name". I think you're right that it's not a trust issue. Have you read through this: http://stackoverflow.com/questions/7615645/ssl-handshake-alert-unrecognized-name-error-since-upgrade-to-java-1-7-0 ? – Richard Schwartz Feb 09 '17 at 14:18
0

With 8 fix pack this problem is solved

Alexander
  • 45
  • 6