Question posted in
Some documentation to get you started can be found here.

Host name does not match the certificate subject provided by the peer after library change – Apache

After updating our project dependencies from apache HttpClient 4.5.10 to 4.5.11 we keep getting this error in our local environment.

We use hystrix, so the connection itself uses HttpAsyncClient (4.1.2).

Production environments work fine after the update, so I guess there is a problem with our certificate that somehow does not pop up when using 4.5.10 for the ssl context configuration.

Does anyone have any idea what might be missing in the cert?


   Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'domain' does not match the certificate subject provided by the peer (CN=domain, O=Something, ST=Some-State, C=NL)
        at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209)
        at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188)
        at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:354)
        at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:503)
        at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
        at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
        at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
        at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)

(I already checked this, and does not seem to match the problem)

Host name does not match the certificate subject provided by the peer, but it's a perfect match

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    The actual problem was not the domain itself, but that it was a private domain and DefaultHostnameVerifier assumes it is an ICANN domain. Modifying the hostname verifier fixes it.

    It was triggered by the change from 4.5.10 to 4.5.11 because of this commit: https://github.com/apache/httpcomponents-client/commit/858946348f5d34f9a8b4caf3c5f054721e647983#diff-842a4260950ada415839175b42257751

    It actually corrects a verification problem, but the error is not exactly clear, so I hope this helps someone down the road.


  2. 0

    The issue described above is fixed in https://issues.apache.org/jira/browse/HTTPCLIENT-2047

    Change the version to 4.5.12

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search