I'm trying to fix my (a bit) old (er) Java 11 app that connected to an API without problems using OKHttp3 client.
The API (that I have no control of) had switched to a different SSL certificate, identified as:
issuer: C=US; O=DigiCert, Inc.; CN=GeoTrust Global TLS RSA4096 SHA256 2022 CA1
That's what I get when trying to access it via Curl from command line, and I get the response as before.
However, my Java http client SSL handshake keeps getting stuck on azureedge.net CN that results in server not being verified with this exception:
ERROR [dsa] javax.net.ssl.SSLPeerUnverifiedException: Hostname myhostname.com not verified:
certificate: sha256/Nvgcs5yexn04uRMOx3YIN1w7gT+OS4b+WlGC8kHEiqQ=
DN: CN=*.azureedge.net, O=Microsoft Corporation, L=Redmond, ST=WA, C=US
subjectAltNames: [*.azureedge.net, *.media.microsoftstream.com, *.origin.mediaservices.windows.net, *.streaming.mediaservices.windows.net]
I suspect it has to do with an Azure IoT hub, but - no idea how to work around this.
Any help is much appreciated.
The clue to finding the solution after hours of banging my head was that all Java clients are failing to get the cert right, and that it seems to be related to SNI that is working in the client out of the box.
Not sure if it's the JVM I'm using or not, but the extension that http clients are using seems to be off by default. Adding the simple:
System.setProperty("jsse.enableSNIExtension", "true");
before any https calls does the trick.