nv-websocket-client icon indicating copy to clipboard operation
nv-websocket-client copied to clipboard

Published 20 hours ago verified publisher icon TakahikoKawasaki

HostnameUnverifiedException for ALB setup

Open kssujithcj opened this issue 7 years ago • 3 comments

Thank you for the library.

I encountered com.neovisionaries.ws.client.HostnameUnverifiedException when the server responds with two certificates and one of them was valid and another one was invalid(which had another hostname). The library only reads the first certificate in the list.

Initially while debugging I checked with okhttp3 and it was working fine. But for this library, we got the issue. Then when I looked into the code, I found this method in com.neovisionaries.ws.client.OkHostnameVerifier

public boolean verify(String host, SSLSession session) {
        try {
            Certificate[] certificates = session.getPeerCertificates();
            return this.verify(host, (X509Certificate)certificates[0]);
        } catch (SSLException var4) {
            return false;
        }
    }

Please take a look at this issue.

kssujithcj avatar Jan 17 '18 14:01 kssujithcj

if you will use in client program ,setVerifyHostname(false); this exception will not come. but you will face another exception - Exception in thread "main" com.neovisionaries.ws.client.WebSocketException: Failed to send an opening handshake request to the server: Remote host closed connection during handshake at com.neovisionaries.ws.client.WebSocket.writeHandshake(WebSocket.java:3234) at com.neovisionaries.ws.client.WebSocket.shakeHands(WebSocket.java:3120) at com.neovisionaries.ws.client.WebSocket.connect(WebSocket.java:2155) at com.websocket.client.Client.connect(Client.java:133) at com.websocket.client.Client.main(Client.java:38) Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at java.io.FilterOutputStream.flush(FilterOutputStream.java:140) at com.neovisionaries.ws.client.WebSocket.writeHandshake(WebSocket.java:3227) ... 4 more Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.InputRecord.read(InputRecord.java:505) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ... 11 more

vipulsaini9 avatar Jan 31 '18 10:01 vipulsaini9

I was encountering the same issue as @vipulsaini9, until I removed the .verifyHostName(false) line. I then received the following stack trace:

2018-06-06 17:54:05.526 [ERROR] bridge.BridgeClient:529 - WebSocket Exception: The status line of the opening handshake response is badly formatted. The status line is: 
2018-06-06 17:56:49.776 [WARN ] bridge.BridgeClient:900 - The server connection is not open at this time. No data will be sent.
2018-06-06 17:56:50.021 [ERROR] bridge.BridgeClient:977 - Cannot connect to WebSocket, due to a fault with the WebSocket. Is the server running? Stack Trace:
	The certificate of the peer does not match the expected hostname (myfootcount.com)
	com.neovisionaries.ws.client.HostnameUnverifiedException: The certificate of the peer does not match the expected hostname (myfootcount.com)
	at com.neovisionaries.ws.client.SocketConnector.verifyHostname(SocketConnector.java:171)
	at com.neovisionaries.ws.client.SocketConnector.doConnect(SocketConnector.java:126)
	at com.neovisionaries.ws.client.SocketConnector.connect(SocketConnector.java:83)
	at com.neovisionaries.ws.client.WebSocket.connect(WebSocket.java:2152)
	at bridge.EditorClient.makeConnection(EditorClient.java:437)

Please note that bridge is a package in my application.

The SSL context setup is as follows:

WebSocketFactory factory = new WebSocketFactory();
if (scheme.equalsIgnoreCase("wss")) {
     // Use SSL. (I'm not sure any of this is necessary or where it's failing)
     SSLContext context = NaiveSSLContext.getInstance("TLS");
     factory.setSSLContext(context);
    }
    factory.setConnectionTimeout(1000);
    // factory.setVerifyHostname(false); // was previously throwing an error
    URI uri = new URI(scheme, host + ':' + port, path, null, null);
    logger.debug("Making Websocket for \"" + uri.toString() + "\"...");
    WebSocket ws = factory.createSocket(uri);
    ws.setMissingCloseFrameAllowed(allowMissingCloseFrame);
    ws.setAutoFlush(true);

How do I get around the The certificate of the peer does not match the expected hostname (myfootcount.com) issue without reencountering the Failed to send an opening handshake request to the server: Remote host closed connection during handshake exception?

Update: I was running into this issue in Java 6. Changing to Java 7+ solved it.

nigelnquande avatar Jun 06 '18 16:06 nigelnquande

Bump, same issue in Java 8

jordanamr avatar Feb 26 '20 02:02 jordanamr