Tuesday 22 July 2014

javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name


Caused by: javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name

at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)

at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)

at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)

at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)

at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)

at java.net.URL.openStream(Unknown Source)


Issue :
I got this exception when I am trying to connect to WebService using https. You may also get this while connecting to any HTTPS url .


Solution:
It is issue with Server , because in their certificate the common name doesn’t match with  url domain.
It's possible to put multiple hostnames in a modern certificate and just use that one certificate in the default vhost, there are many hosting providers who are hosting for too many sites on a single address for that to be practical for them


In two ways we can fix the issue :
Http Client Side:

Java 7 introduced SNI support which is enabled by default. I have found out that certain misconfigured servers send an "Unrecognized Name" warning in the SSL handshake which is ignored by most clients... except for Java.
As workaround, I suggest to set the jsse.enableSNIExtension property. To allow your programs to work without re-compiling, run your app as:
java -Djsse.enableSNIExtension=false yourClass
The property can also be set in the Java code, but it must be set before any SSL actions. Once the SSL library has loaded, you can change the property, but it won't have any effect on the SNI status. To disable SNI on runtime (with the aforementioned limitations), use:
System.setProperty("jsse.enableSNIExtension", "false");
The disadvantage of setting this flag is that SNI is disabled everywhere in the application. In order to make use of SNI and still support misconfigured servers:
  1. Create a SSLSocket with the host name you want to connect to. Let's name this sslsock.
  2. Try to run sslsock.startHandshake(). This will block until it is done or throw an exception on error. Whenever an error occurred in startHandshake(), get the exception message. If it equals to handshake alert: unrecognized_name, then you have found a misconfigured server.
  3. When you have received the unrecognized_name warning (fatal in Java), retry opening a SSLSocket, but this time without a host name. This effectively disables SNI (after all, the SNI extension is about adding a host name to the ClientHello message).

HttpServer Side:

On the server side we have to create certificate with matching Domain name as Server Name or define where we have ServerName / ServerAlias as same name mentione din certificate common name.


Ref:
  1. https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
2.https://support.roambi.com/hc/en-us/articles/200858194-Cannot-verify-SSL-portal-due-to-error-javax-net-ssl-SSLProtocolException-handshake-alert-unrecognized-name
3.http://en.wikipedia.org/wiki/Server_Name_Indication
Posted by at 9 comments:
Labels: , , , , ,

Wednesday 16 July 2014

Browser ssl certificate validation


  1. How SSL works

                 Please check this link-->  How SSL Works

  1. How browser verifies certificate
It has 3 ways to verify the SSL certificate from server:
  1. It verifies with local trust store
  2. Verifies using CRL- (Explained Below)
  3. Verifies using OCSP (Explained Below)
  4. Verifies using  SCVP( Not Supported as of today) Spec defined as of now.


  1. When  certificate compromise
It is discovered that the certificate authority (CA) had improperly issued a certificate, or if a private-key is thought to have been compromised. Certificates may also be revoked for failure of the identified entity to adhere to policy requirements, such as publication of false documents, mis-representation of software behavior, or violation of any other policy specified by the CA operator or its customer. The most common reason for revocation is the user no longer being in sole possession of the private key (e.g., the token containing the private key has been lost or stolen).

  1. Certificate Revocation List - OCSP-Online Certificate Status Protocol

Today we did an announcement of some work we have been doing with CloudFlare to speed up SSL for all of our customers through some improvements to our revocation infrastructure.
One of the things that come up when talking about this is how each of the browsers handles revocation checking, I thought it might be useful to put together a quick post that talks about this to clear up some confusion.
The first thing that’s important to understand is that all major browsers do some form of revocation checking, that includes Opera, Safari, Chrome, Firefox and Internet Explorer.
Let’s talk about what that means, the IETF standards for X.509 certificates define three ways for revocation checking to be done, the first is Certificate Revocation Lists (CRLs), next there is the Online Certificate Status Protocol (OCSP) and finally there is something called Simple Certificate Validation Protocol (SCVP).
In the context of browsers we can ignore SCVP as no browser implements them; this leaves us with CRLs and OCSP as the standards compliant ways of doing revocation checking.
All of the above browsers support these mechanisms, in addition to these standard mechanisms Google has defined a proprietary certificate revocation checking scheme called CRLsets.
If we look at StatCounter for browser market share that means today at least 64.84% (its likely more) of the browsers out there are doing revocation checking based on either OCSP or CRLs by default.
This means that when a user visits a website protected with SSL it has to do at least one DNS look-up, one TCP socket and one HTTP transaction to validate the certificate the web server presents and more likely several of these.
This is important because of the way revocation checking needs to be done, you need to know if the server you are talking to really is who they say they are before you start to trust them – that’s why when browsers do OCSP and CRLs they do this validation before they download the content from the web page.
This means that your content won’t be displayed to the user until this check happens and this can take quite a while.
For example in the case of IE and Chrome (when it does standards based revocation checking on Windows) it uses CryptoAPI which will time-out after 15 seconds of attempting to check the status of a certificate.
The scary part is that calls to this API do actually time out and when they do this delay is experienced by the users of your website!
So what can you do about it? It’s simple really you have to be mindful of the operational capacity and performance of the certificate authority you get your certificate from.
Check out this monitoring portal I maintain for OCSP and this one I maintain for CRLs, you will see GlobalSign consistently outperforms every other CA for the performance of their revocation infrastructure in most cases it’s nearly 6x as fast and in others is much more than that.
The other thing to understand is that today the default behavior of these browsers when checking the status of a certificate via OCSP or CRLs is to do what is often referred to as a “soft-revocation failure”.
This basically means that if they fail for any reason to check the status of a certificate (usually due to performance or reliability issues) they will treat the certificate as good anyways. This is an artifact of CAs not operating sufficiently performant and reliable infrastructure to allow the browsers to treat network related failures critically.
Each of these browsers all have options you can use to enable “hard” or “strict” revocation checking but until the top CAs operate infrastructure that meets the performance and reliability requirements of the modern web no browser will make these the default.
Finally its also important to understand that even with this “soft-failure” your website experiences the performance cost of doing these checks.

  1. Conclusion:

Now we have two online checking protocols for Certificate from browsers:
  1. OCSP - Online Certificate Status Protocol- Most browsers supported
  2. SCVP- Simple Certificate Validation Protocol- Most of the Browsers not yet Implemented.

  1. References:

Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)