SSL handshake alert unrecognized name error since upgrade to Java 1 7 0

Question

I upgraded from Java 1 6 to Java 1 7 today  Since then an error occur when I try to establish a connection to my webserver over SSL   javax net ssl SSLProtocolException  handshake alert   unrecognized name     at sun security ssl ClientHandshaker handshakeAlert ClientHandshaker java 1288      at sun security ssl SSLSocketImpl recvAlert SSLSocketImpl java 1904      at sun security ssl SSLSocketImpl readRecord SSLSocketImpl java 1027      at sun security ssl SSLSocketImpl performInitialHandshake SSLSocketImpl java 1262      at sun security ssl SSLSocketImpl startHandshake SSLSocketImpl java 1289      at sun security ssl SSLSocketImpl startHandshake SSLSocketImpl java 1273      at sun net www protocol https HttpsClient afterConnect HttpsClient java 523      at sun net www protocol https AbstractDelegateHttpsURLConnection connect AbstractDelegateHttpsURLConnection java 185      at sun net www protocol http HttpURLConnection getInputStream HttpURLConnection java 1296      at sun net www protocol https HttpsURLConnectionImpl getInputStream HttpsURLConnectionImpl java 254      at java net URL openStream URL java 1035    Here is the code   SAXBuilder builder   new SAXBuilder    Document document   null   try       url   new URL https   some url       document    Document  builder build url openStream       catch  NoSuchAlgorithmException ex        Logger getLogger DownloadLoadiciousComputer class getName    log Level SEVERE  null  ex         Its only a test project thats why I allow and use untrusted certificates with the code   TrustManager   trustAllCerts   new TrustManager        new X509TrustManager              public java security cert X509Certificate   getAcceptedIssuers                 return null                     public void checkClientTrusted                  java security cert X509Certificate   certs  String authType                       public void checkServerTrusted                  java security cert X509Certificate   certs  String authType                        try        SSLContext sc   SSLContext getInstance  SSL        sc init null  trustAllCerts  new java security SecureRandom         HttpsURLConnection setDefaultSSLSocketFactory sc getSocketFactory       catch  Exception e         Logger getLogger DownloadManager class getName    log Level SEVERE  null  e        I sucessfully tried to connect to https   google com  where is my fault   Thanks

User · Answer

I had what I believe the same issue is  I found that I needed to adjust the Apache configuration to include a ServerName or ServerAlias for the host   This code failed   public class a      public static void main String    a  throws Exception         java net URLConnection c   new java net URL  https   mydomain com    openConnection          c setDoOutput true         c getOutputStream             And this code worked   public class a      public static void main String    a  throws Exception         java net URLConnection c   new java net URL  https   google com    openConnection          c setDoOutput true         c getOutputStream             Wireshark revealed that during the TSL SSL Hello the warning Alert  Level  Warning  Description  Unrecognized Name   Server Hello Was being sent from the server to the client  It was only a warning  however  Java 7 1 then responded immediately back with a  Fatal  Description  Unexpected Message   which I assume means the Java SSL libraries don t like to see the warning of unrecognized name   From the Wiki on Transport Layer Security  TLS    112 Unrecognized name   warning TLS only  client s Server Name Indicator specified a hostname not supported by the server  This led me to look at my Apache config files and I found that if I added a ServerName or ServerAlias for the name sent from the client java side  it worked correctly without any errors    lt VirtualHost mydomain com 443 gt    ServerName mydomain com   ServerAlias www mydomain com

User · Answer

My VirtualHost s ServerName was commented out by default  It worked after uncommenting

User · Answer

Use    System setProperty  jsse enableSNIExtension    false    Restart your Tomcat  important

User · Answer

Java 7 introduced SNI support which is enabled by default  I have found out that certain misconfigured servers send an  Unrecognized Name  warning in the SSL handshake which is ignored by most clients    except for Java  As  Bob Kerns mentioned  the Oracle engineers refuse to  fix  this bug feature   As workaround  they suggest to set the jsse enableSNIExtension property  To allow your programs to work without re-compiling  run your app as   java -Djsse enableSNIExtension false yourClass   The property can also be set in the Java code  but it must be set before any SSL actions  Once the SSL library has loaded  you can change the property  but it won t have any effect on the SNI status  To disable SNI on runtime  with the aforementioned limitations   use   System setProperty  jsse enableSNIExtension    false      The disadvantage of setting this flag is that SNI is disabled everywhere in the application  In order to make use of SNI and still support misconfigured servers    Create a SSLSocket with the host name you want to connect to  Let s name this sslsock  Try to run sslsock startHandshake    This will block until it is done or throw an exception on error  Whenever an error occurred in startHandshake    get the exception message  If it equals to handshake alert   unrecognized name  then you have found a misconfigured server  When you have received the unrecognized name warning  fatal in Java   retry opening a SSLSocket  but this time without a host name  This effectively disables SNI  after all  the SNI extension is about adding a host name to the ClientHello message     For the Webscarab SSL proxy  this commit implements the fall-back setup

User · Answer

I have also come across this issue whilst upgrading from Java 1 6 29 to 1 7   Alarmingly  my customer has discovered a setting in the Java control panel which resolves this   In the Advanced Tab you can check  Use SSL 2 0 compatible ClientHello format    This seems to resolve the issue   We are using Java applets in an Internet Explorer browser   Hope this helps

User · Answer

Here is solution for Appache httpclient 4 5 11  I had problem with cert which has subject wildcarded   hostname com  It returned me same exception  but I musn t use disabling by property System setProperty  jsse enableSNIExtension    false    because it made error in Google location client   I found simple solution  only modifying socket    import io micronaut context annotation Bean  import io micronaut context annotation Factory  import org apache http client HttpClient  import org apache http conn ssl NoopHostnameVerifier  import org apache http conn ssl SSLConnectionSocketFactory  import org apache http impl client HttpClients  import org apache http ssl SSLContexts   import javax inject Named  import javax net ssl SSLParameters  import javax net ssl SSLSocket  import java io IOException  import java util List    Factory public class BeanFactory         Bean      Named  without verify       public HttpClient provideHttpClient             SSLConnectionSocketFactory connectionSocketFactory   new SSLConnectionSocketFactory SSLContexts createDefault    NoopHostnameVerifier INSTANCE                 Override             protected void prepareSocket SSLSocket socket  throws IOException                   SSLParameters parameters   socket getSSLParameters                    parameters setServerNames List of                     socket setSSLParameters parameters                   super prepareSocket socket                                     return HttpClients custom                    setSSLSocketFactory connectionSocketFactory                   build

User · Answer

I hit the same problem and it turned out that reverse dns was not setup correct  it pointed to wrong hostname for the IP  After I correct reverse dns and restart httpd  the warning is gone   if I don t correct reverse dns  adding ServerName did the trick for me as well

User · Answer

If you are building a client with Resttemplate  you can only set the endpoint like this  https   IP path to service and set the requestFactory   With this solution you don t need to RESTART your TOMCAT or Apache    public static HttpComponentsClientHttpRequestFactory requestFactory CloseableHttpClient httpClient        TrustStrategy acceptingTrustStrategy   new TrustStrategy              Override         public boolean isTrusted X509Certificate   chain  String authType  throws CertificateException               return true                        SSLContext sslContext   null      try           sslContext   org apache http ssl SSLContexts custom                    loadTrustMaterial null  acceptingTrustStrategy                   build          catch  Exception e            logger error e getMessage    e                 HostnameVerifier hostnameVerifier   new HostnameVerifier              Override         public boolean verify String hostname  SSLSession session                return true                        final SSLConnectionSocketFactory csf   new SSLConnectionSocketFactory sslContext hostnameVerifier        final Registry lt ConnectionSocketFactory gt  registry   RegistryBuilder  lt ConnectionSocketFactory gt create                register  http   new PlainConnectionSocketFactory                 register  https   csf               build         final PoolingHttpClientConnectionManager cm   new PoolingHttpClientConnectionManager registry       cm setMaxTotal 100       httpClient   HttpClients custom                setSSLSocketFactory csf               setConnectionManager cm               build         HttpComponentsClientHttpRequestFactory requestFactory               new HttpComponentsClientHttpRequestFactory         requestFactory setHttpClient httpClient        return requestFactory

User · Answer

There is an easier way where you can just use your own HostnameVerifier to implicitly trust certain connections  The issue comes with Java 1 7 where SNI extensions have been added and your error is due to a server misconfiguration   You can either use  -Djsse enableSNIExtension false  to disable SNI across the whole JVM or read my blog where I explain how to implement a custom verifier on top of a URL connection

User · Answer

Just to add a solution here  This might help for LAMP users  Options  FollowSymLinks -SymLinksIfOwnerMatch   The above mentioned line in the virtual host configuration was the culprit   Virtual Host Configuration when error   lt VirtualHost   80 gt      DocumentRoot  var www html load web     ServerName dev load com      lt Directory   var www html load web  gt          Options  FollowSymLinks -SymLinksIfOwnerMatch         AllowOverride All         Require all granted         Order Allow Deny         Allow from All      lt  Directory gt       RewriteEngine on      RewriteCond   SERVER PORT    443       RewriteRule        https     HTTP HOST   1  NC R 301 L   lt  VirtualHost gt    Working Configuration   lt VirtualHost   80 gt      DocumentRoot  var www html load web     ServerName dev load com     lt Directory   var www html load web  gt           AllowOverride All          Options All          Order Allow Deny          Allow from All       lt  Directory gt         To allow authorization header     RewriteEngine On     RewriteCond   HTTP Authorization            RewriteRule    -  e HTTP AUTHORIZATION  1        RewriteCond   SERVER PORT    443       RewriteRule        https     HTTP HOST   1  NC R 301 L     lt  VirtualHost gt

User · Answer

We also ran into this error on a new Apache server build   The fix in our case was to define a ServerAlias in the httpd conf that corresponded to the host name that Java was trying to connect to   Our ServerName was set to the internal host name  Our SSL cert was using the external host name  but that was not sufficient to avoid the warning   To help debug  you can use this ssl command   openssl s client -servername  lt hostname gt  -connect  lt hostname gt  443 -state  If there is a problem with that hostname  then it will print this message near the top of the output   SSL3 alert read  warning unrecognized name  I should also note that we did not get that error when using that command to connect to the internal host name  even though it did not match the SSL cert

User · Answer

I had the same problem with an Ubuntu Linux server running subversion when accessed via Eclipse   It has shown that the problem had to do with a warning when Apache  re started    Mon Jun 30 22 27 10 2014   warn  NameVirtualHost   80 has no VirtualHosts      waiting  Mon Jun 30 22 27 11 2014   warn  NameVirtualHost   80 has no VirtualHosts   This has been due to a new entry in ports conf  where another NameVirtualHost directive was entered alongside the directive in sites-enabled 000-default   After removing the directive in ports conf  the problem had vanished  after restarting Apache  naturally

User · Answer

You can disable sending SNI records with the System property jsse enableSNIExtension false    If you can change the code it helps to use SSLCocketFactory createSocket    with no host parameter or with a connected socket   In this case it will not send a server name indication

User · Answer

Instead of relying on the default virtual host mechanism in apache  you can define one last catchall virtualhost that uses an arbitrary ServerName and a wildcard ServerAlias  e g   ServerName catchall mydomain com ServerAlias   mydomain com   In that way you can use SNI and apache will not send back the SSL warning    Of course  this only works if you can describe all of your domains easily using a wildcard syntax

User · Answer

Ran into this issue with spring boot and jvm 1 7 and 1 8  On AWS  we did not have the option to change the ServerName and ServerAlias to match  they are different  so we did the following   In build gradle we added the following   System setProperty  jsse enableSNIExtension    false   bootRun systemProperties   System properties   That allowed us to bypass the issue with the  Unrecognized Name

User · Answer

It should be useful  To retry on a SNI error in Apache HttpClient 4 4 - the easiest way we came up with  see HTTPCLIENT-1522    public class SniHttpClientConnectionOperator extends DefaultHttpClientConnectionOperator        public SniHttpClientConnectionOperator Lookup lt ConnectionSocketFactory gt  socketFactoryRegistry            super socketFactoryRegistry  null  null               Override     public void connect              final ManagedHttpClientConnection conn              final HttpHost host              final InetSocketAddress localAddress              final int connectTimeout              final SocketConfig socketConfig              final HttpContext context  throws IOException           try               super connect conn  host  localAddress  connectTimeout  socketConfig  context             catch  SSLProtocolException e                Boolean enableSniValue    Boolean  context getAttribute SniSSLSocketFactory ENABLE SNI               boolean enableSni   enableSniValue    null    enableSniValue              if  enableSni  amp  amp  e getMessage      null  amp  amp  e getMessage   equals  handshake alert   unrecognized name                      TimesLoggers httpworker warn  Server received saw wrong SNI host  retrying without SNI                    context setAttribute SniSSLSocketFactory ENABLE SNI  false                   super connect conn  host  localAddress  connectTimeout  socketConfig  context                 else                   throw e                                    and  public class SniSSLSocketFactory extends SSLConnectionSocketFactory        public static final String ENABLE SNI      enable sni                    Implement any constructor you need for your particular application -        SSLConnectionSocketFactory has many variants             public SniSSLSocketFactory final SSLContext sslContext  final HostnameVerifier verifier            super sslContext  verifier               Override     public Socket createLayeredSocket              final Socket socket              final String target              final int port              final HttpContext context  throws IOException           Boolean enableSniValue    Boolean  context getAttribute ENABLE SNI           boolean enableSni   enableSniValue    null    enableSniValue          return super createLayeredSocket socket  enableSni   target       port  context             and  cm   new PoolingHttpClientConnectionManager new SniHttpClientConnectionOperator socketFactoryRegistry   null  -1  TimeUnit MILLISECONDS

User · Answer

You cannot supply system properties to the jarsigner exe tool  unfortunately   I have submitted defect 7177232  referencing  eckes  defect 7127374 and explaining why it was closed in error   My defect is specifically about the impact on the jarsigner tool  but perhaps it will lead them to reopening the other defect and addressing the issue properly   UPDATE  Actually  it turns out that you CAN supply system properties to the Jarsigner tool  it s just not in the help message  Use jarsigner -J-Djsse enableSNIExtension false

[java] SSL handshake alert: unrecognized_name error since upgrade to Java 1.7.0

Examples related to java

Examples related to ssl