http client can not connect to some SSL servers: SSLHandshakeException
799 views
Skip to first unread message
Matthias Ohlemeyer
Mar 13, 2014, 6:43:14 PM3/13/14
to ve...@googlegroups.com
Hi,
the http client is giving me some headaches: It is able to connect to some SSL servers without any problem, on others I get a SSLHandshakeException although it is possible to connect to the same address with a browser or a "regular" java http client.
Wireshark brings up the following suspicious sequence:
Server sends: "Server Hello, Certificate, Server Hello Done"
Client responds with: "Alert (Level: Fatal, Description: Certificate Unknown)"
The vertx http client is configured with port(443) and ssl(true).trustAll(true).
Vert.x version is 2.1M2.
Any help is appreciated.
Matthias
the http client is giving me some headaches: It is able to connect to some SSL servers without any problem, on others I get a SSLHandshakeException although it is possible to connect to the same address with a browser or a "regular" java http client.
Wireshark brings up the following suspicious sequence:
Server sends: "Server Hello, Certificate, Server Hello Done"
Client responds with: "Alert (Level: Fatal, Description: Certificate Unknown)"
The vertx http client is configured with port(443) and ssl(true).trustAll(true).
Vert.x version is 2.1M2.
Any help is appreciated.
Matthias
Matthias Ohlemeyer
Mar 15, 2014, 5:55:47 AM3/15/14
to ve...@googlegroups.com
Hi, sorry to bug this list again, but I seems I cannot solve this issue on my own. It is probably some SSL/TLS or network issue.
My findings so far:
I have two sites A and B, both run on apache, use SSL and have the same type of certificate from the same CA. There are no issues when connecting to any of the sites with different web browsers, the certificates are simply accepted.
In order to connect to these sites with the Vert.x http client I set the port to 443, set ssl to true and trustAll also to true.
Connecting to site A works as expected. The Wireshark log shows that the client sends a SSL "Client Hello", the server then responds with a "Server Hello", in a new data transfer the certificate is sent from server to client and afterwards the TLS handshake starts.
Connecting t site B always fails with a SSLHandshakeException. Here the client also starts the conversation with a SSL "Client Hello", but then the server sends the message "Server Hello, Certificate, Server Hello Done" in one go. After that the Client responds with "Alert(Level: Fatal, Description: Certificate unknown)" and the conversation ends.
The same happens when I do not rely on trustAll set to true, but create my own trust store.
I am really lost (and need to connect to site B for my project) and unsure, because I can not find a pattern why some sites work while others do not! Does anybody have an idea?
Matthias
My findings so far:
I have two sites A and B, both run on apache, use SSL and have the same type of certificate from the same CA. There are no issues when connecting to any of the sites with different web browsers, the certificates are simply accepted.
In order to connect to these sites with the Vert.x http client I set the port to 443, set ssl to true and trustAll also to true.
Connecting to site A works as expected. The Wireshark log shows that the client sends a SSL "Client Hello", the server then responds with a "Server Hello", in a new data transfer the certificate is sent from server to client and afterwards the TLS handshake starts.
Connecting t site B always fails with a SSLHandshakeException. Here the client also starts the conversation with a SSL "Client Hello", but then the server sends the message "Server Hello, Certificate, Server Hello Done" in one go. After that the Client responds with "Alert(Level: Fatal, Description: Certificate unknown)" and the conversation ends.
The same happens when I do not rely on trustAll set to true, but create my own trust store.
I am really lost (and need to connect to site B for my project) and unsure, because I can not find a pattern why some sites work while others do not! Does anybody have an idea?
Matthias
Jorge L.
Mar 15, 2014, 7:39:50 AM3/15/14
to ve...@googlegroups.com
Try also with
verifyHost(false)
If it works with this configuration, the server name you invoke does not match with the server name in the certificate CN. This is a typical issue in test environments when the server is using a certificate that was generated for a different host name. You can create a new server certificate (with the correct hostname) or you may add an entry in /etc/hosts to target the host when using the certificate CN host.
Matthias Ohlemeyer
Mar 15, 2014, 8:19:20 AM3/15/14
to ve...@googlegroups.com
This is crazy: It works - thank you so much!
Just a few comments: I did not find the verifyHost method in the JavaScript manual, that's why I did not even get the idea to try it. I should have looked in the API-docs.
But even then:I suspected exactly the problem you mentioned and I can assure you that I double checked: The site address matches the certificate CN host character for character. I'm probably overlooking something obvious, but the fact, that none of the browsers, nor a straight java http client reported a problem might have led me on the wrong path.
Not sure, if it is worth investigating the issue any further, since nobody else seems to have encountered this problem.
Thanks again for your help.
Matthias
Just a few comments: I did not find the verifyHost method in the JavaScript manual, that's why I did not even get the idea to try it. I should have looked in the API-docs.
But even then:I suspected exactly the problem you mentioned and I can assure you that I double checked: The site address matches the certificate CN host character for character. I'm probably overlooking something obvious, but the fact, that none of the browsers, nor a straight java http client reported a problem might have led me on the wrong path.
Not sure, if it is worth investigating the issue any further, since nobody else seems to have encountered this problem.
Thanks again for your help.
Matthias
Reply all
Reply to author
Forward
0 new messages