0

I am undergoing a task to get the ssl expiration date for a domain website and one that is accessed via IP. I have written below code. When I give domain name it gives me correct ouput but when I give Ip address in URl i.e. 192.168.1.1 it throws javax.net.ssl.SSLException: Received fatal alert: protocol_version error. Can you let me know what I am doing wrong here

public static void main(String[] args) throws Exception {
    URL url = new URL("https://google.co.in");
    System.out.println("Expiration Date: "+getCertificateExpiration(url));
}

/**
 * Returns the expiration (notAfter) date of the X.509 Certificate
 * used to encrypt the HTTPS connection of the given URL.  If the
 * connection is not a secure HTTPS connection or the server is not
 * signed with an X.509 certificate, this method returns null.  You
 * may want to modify the implementation to throw relevant
 * exceptions if you need to handle those conditions separately.
 * @param url the URL to connect to
 * @return the expiration (notAfter) date of the server's X.509 Certificate or
 * null if unable to connect, the connection is not secure, or the server is
 * not signed with an X.509 certificate.
 */
public static Date getCertificateExpiration(URL url) {
    try {
        URLConnection conn = url.openConnection();
        conn.connect();
        if (conn instanceof HttpsURLConnection) {
            /*retrieve the N-length signing chain for the server certificates.
            certs[0] is the server's certificate.
            certs[1] - certs[N-1] are the intermediate authorities that signed the cert.
            certs[N] is the root certificate authority of the chain. */
            Certificate[] certs = ((HttpsURLConnection)conn).getServerCertificates();
            if (certs.length > 0 && certs[0] instanceof X509Certificate) {
                // certs[0] is an X.509 certificate, return its "notAfter" date
                return ((X509Certificate)certs[0]).getNotAfter();
            }
        }
        // connection is not HTTPS or server is not signed with an X.509 certificate, return null
        return null;
    } catch (SSLPeerUnverifiedException spue) {
        // connection to server is not verified, unable to get certificates
        return null;
    } catch (IllegalStateException ise) {
        // shouldn't get here -- indicates attempt to get certificates before
        // connection is established
        return null;
    } catch (IOException ioe) {
        // error connecting to URL -- this must be caught last since
        // other exceptions are subclasses of IOException
        return null;
    }
}

Error Stacktrace is as follows

javax.net.ssl.SSLException: Received fatal alert: protocol_version
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at com.test.SSLTest.getCertificateExpiration(SSLTest.java:39)
at com.test.SSLTest.main(SSLTest.java:21)
user207421
  • 305,947
  • 44
  • 307
  • 483
Rachit M Garg
  • 263
  • 4
  • 19
  • SSL certificates are tied to domain names, it makes little sense to try and use HTTPS with an IP address - http://stackoverflow.com/a/33419662/1427878 – CBroe Apr 13 '17 at 10:19
  • 1
    @CBroe That doesn't explain a 'protocol version' error. – user207421 Apr 13 '17 at 10:33
  • @OP Please post the entire stack trace. – user207421 Apr 13 '17 at 10:33
  • @EJP If the server is configured as a virtual host, it might require SNI to access it via HTTPS. Accessing it via an IP address would not set a host name for SNI. – Andrew Henle Apr 13 '17 at 13:12
  • @EJB Stacktrace updated – Rachit M Garg Apr 14 '17 at 00:07
  • Does 192.168.1.1 really have a domain name? Or are you comparing what happens when you connect to two different hosts? – user207421 Apr 14 '17 at 00:24
  • @AndrewHenle That would not explain a `protocol_version` alert: 'protocol_version: The protocol version the client has attempted to negotiate is recognized, but not supported. (For example, old protocol versions might be avoided for security reasons). This message is always fatal.' – user207421 Apr 14 '17 at 00:27
  • Is it possible that the domain name is tied to a specific port different than 80? – Jorge Campos Apr 14 '17 at 01:05
  • @Jorge how would I get to know that? When i access the url via broswer I only give 192.168.1.1 and it displays the page correctly.. Also IPgiven hereis just an example. Actual IP that I am trying is different​. – Rachit M Garg Apr 14 '17 at 04:57
  • Well that would be a possible cause. If you don't know who is the admin for the domain you are trying to check the certificate that's a problem. – Jorge Campos Apr 14 '17 at 15:27

0 Answers0