0

I am using the Bot Connector REST API and am having trouble with the Kik channel. When I try to respond to a message, I am receiving this error: 

javax.net.ssl.SSLException: hostname in certificate didn't match: <kik.botframework.com> != <*.azurewebsites.net> OR <*.azurewebsites.net> OR <*.scm.azurewebsites.net> OR <*.azure-mobile.net> OR <*.scm.azure-mobile.net>

The service URL I am using is "https://kik.botframework.com".

I am running this off of a local server at the moment. I did not have any trouble connecting with the Skype channel in this configuration, but Kik is giving me trouble.

bigbazwa
  • 16
  • 4

2 Answers2

0

I don't exactly have a solution, but I can explain what is the reason behind this and what you may have to double check on your side.

So, in short, this is happening because of SNI (Server Name Indication) and because of the client's inability to support SNI.

Check this answer for some insight into this issue https://serverfault.com/questions/594368/openssl-returns-different-ssl-certificate-to-that-shown-by-chrome

In this case, the same IP is hosting a bunch of domains and certificates. Most of the modern browsers support SNI and will be able to detect this and show you the right certificate (try firefox).

However, when the SSL client of a server is trying to do a handshake (without specifying 'server name'/'host name') it doesn't know which certificate to fetch, and hence fetches the core certificate.

Solution? The client should 'indicate' that this is the host name and then it'll fetch the right certificate.

Example: openssl s_client -connect dev.botframework.com:443

VS

openssl s_client -servername dev.botframework.com -connect dev.botframework.com:443

How to Solve this?

Skip the host name verification phase. Disabling SSL Certificate Validation in Spring RestTemplate or another Example:

Registry<ConnectionSocketFactory> registry = RegistryBuilder.    <ConnectionSocketFactory>create()
            .register("http",             PlainConnectionSocketFactory.getSocketFactory()).register("https", new         SSLConnectionSocketFactory(SSLContexts.createDefault(), new HostnameVerifier() {
                    @Override
                    public boolean verify(String hostname, SSLSession     session) {            
                        return true;
                    }
                })).build();
Arka
  • 9
  • 3
0

The problem ended up being that the version of the HttpClient library being used my server is fairly old (4.2.5) and did not support Server Name Indication. I was able to patch it to support SNI as per here: Server Name Indication (SNI) Support. Thanks to Arka for pointing out what the issue likely was.

bigbazwa
  • 16
  • 4