0

I'm trying to debug following error:

javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
    at sun.security.ssl.ClientHandshaker.handshakeAlert
    at sun.security.ssl.SSLSocketImpl.recvAlert
    (...)

I've already headed SNI Extension problem described here: SSL handshake alert: unrecognized_name error since upgrade to Java 1.7.0

I still get error, so I'd like to print SSL Certificates which I'm sending to the server for debugging purpose. Here's my code:

URL url = new URL(text);
HttpsURLConnection conn = (HttpsURLConnection) 
url.openConnection();
conn.setRequestMethod("POST");
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
conn.setRequestProperty("Content-length", String.valueOf(query.length()));

DataOutputStream os = new DataOutputStream(conn.getOutputStream());
os.writeBytes(query);

Certificate[] certs = conn.getLocalCertificates();
for (int i = 0; i < certs.length; i++) {
     System.out.println("########### LocalCertNr " + String.valueOf(i) + " ##############");
     System.out.println(certs[i].toString());
}

My problems it that before I hit os.writeBytes(query) connection is not open yet and I can't read certificates, but I can't open it, because after hitting OutputStream or InputStream hits the error from begin of the post.

How can I print the certificates, which HTTPSURLConnection is going to send?

juggler92
  • 113
  • 10
  • By default, certificates are only sent *from* the server. – Oliver Charlesworth Sep 27 '18 at 17:56
  • 1
    @OliverCharlesworth: not necessarily. IF server requests client auth AND sysprops `javax.net.ssl.keyStore*` are set OR prior code has set SSLContext default and/or HttpsURLConnection default factory then JSSE tries to send client cert. juggler: the only way to see certs before they are sent -- if they are -- is to tailor or instrument the keymanager, or to debug (which will likely cause timeout). It is easier to see what is _actually_ sent and received by setting syprop `javax.net.debug=ssl`, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug – dave_thompson_085 Sep 27 '18 at 21:44
  • That's what I meant when I wrote "by default" :) – Oliver Charlesworth Sep 28 '18 at 03:30
  • @dave_thompson_085 that solves my problem in half-way - I'm running my code as plugin on service, which I don't have control on the properties set on the runtime (e.g. `javax.net.debug=ssl`). – juggler92 Sep 28 '18 at 15:03
  • (1) can you get a network trace, or a trace from the/a server? (2) can you direct the connection (temporarily, perhaps with fake data) to your own server, which could help with (1) and/or let you proxy the request to the real server using software more under your control? – dave_thompson_085 Sep 29 '18 at 04:19

0 Answers0