javaapache-httpclient-4.xhostname-verifier

java apache httpclient 4.5.13 SSLPeerUnverifiedException: Certificate for <foo.s3.amazonaws.com> doesn't match any of the subject alternative names:[]


I have changed my SSLConnectionSocketFactory to take DefaultHostNameVerifier instead of NoopHostNameVerifier.

final SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext, new String[] { "TLSv1.2" }, null, NoopHostnameVerifier.INSTANCE);

final SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext, new String[] { "TLSv1.2" }, null, new DefaultHostnameVerifier(PublicSuffixMatcherLoader.getDefault()));

since then I am having an issue when executing a validation on : "https://foo.s3.amazonaws.com/fileName.csv" I get an error:

Certificate for <foo.s3.amazonaws.com> doesn't match any of the subject alternative names:[*.s3.amazonaws.com, s3.amazonaws.com]

any idea what the issue might be?

*I am using apache httpclient 4.5.13, and it only happens on production (can not reproduce locally).

javax.net.ssl.SSLPeerUnverifiedException: Certificate for <foo.s3.amazonaws.com> doesn't match any of the subject alternative names: [*.s3.amazonaws.com, s3.amazonaws.com]
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)

Solution

  • The bug was caused by athena-jdbc dependency which is used somewhere else in the project and has it's own public-suffix-list. This function PublicSuffixMatcherLoader.getDefault() read the public-suffix-list of athena jdbc instead of http-client by apache.