1

Small java question regarding the Java built in Http client please.

I have a small piece of code where I am trying the Java built in Http client.

final KeyManagerFactory keyManagerFactory = getAndInitKeyManagerFactory();
SSLContext sslContext = SSLContext.getInstance("TLSv1.3");
sslContext.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());

(Please note the null for TrustManager[] tm)

I would like to avoid carrying an extra truststore, and since this is mainly for testing, I am more than ok trusting any server even knowing this might be insecure.

Unfortunately, even with this null for the trust, I am still getting :

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching abc.com

I even tried giving a

static class InsecureTrustManager implements X509TrustManager {
        @Override
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        @Override
        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
            
        }

        @Override
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {

        }
    }

sslContext.init(keyManagerFactory.getKeyManagers(), new TrustManager[] { new InsecureTrustManager() }, new SecureRandom());

But no luck, still the same exception with stack trace:

Exception in thread "main" java.io.IOException: No subject alternative DNS name matching abc.com found.
    at java.net.http/jdk.internal.net.http.HttpClientImpl.send(HttpClientImpl.java:565)
    at java.net.http/jdk.internal.net.http.HttpClientFacade.send(HttpClientFacade.java:119)
    at question.Question.main(Question.java:54)
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching abc.com found.
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
[...]
Caused by: java.security.cert.CertificateException: abc.com found.
    at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:207)
    at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:98)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:415)
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1584)
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1525)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1310)

I am not quite understanding the issue, and would like to ask what is the proper way to configure from the code, with Java built in, to trust everything.

Thank you

PatPanda
  • 3,644
  • 9
  • 58
  • 154

2 Answers2

3

Since your problem is only(!) hostname verification and not actual cert validation (like many other Qs), to avoid JSSE wrapping your InsecureTrustManager and adding the hostname verification, either you must 'implement' X509ExtendedKeyManager instead -- and since this is an abstract class (it was designed before Java started allowing default methods in interfaces), you actually use extends and override its 4 (abstract) methods in addition to the ones in X509TrustManager -- or else turn it off specifically with jdk.internal.httpclient.disableHostnameVerification in which case you don't need a custom TrustManager at all.

Effectively dupe Allow insecure HTTPS connection for Java JDK 11 HttpClient particularly 'Update' in https://stackoverflow.com/a/52995420/2868801 and https://stackoverflow.com/a/70741993/2868801

and Java SSL: how to disable hostname verification particularly https://stackoverflow.com/a/54513917/2868801 and https://stackoverflow.com/a/70604898/2868801

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
0

Based on the stack trace, if you want to avoid the check, you need to implement your own instance of X509TrustManager i.e. what X509TrustManagerImpl implements. This is the class that's throwing the error.

David Brossard
  • 13,584
  • 6
  • 55
  • 88