问题
I am facing a weird issue wrto Apache HTTPS client. I am trying to connect to an external HTTPS website which has basic authentication turned on (SSL server authenticaion only). Here is the summary of my tests and conclusions.
Use a either of Chrome/Firefox/IE to connect to the website -> success
Use
javax.net.ssl.HttpsURLConnection-> successUse either of
DefaultHttpClientorSystemDefaultHttpClient-> failure
I tried to debug by enabling "javax.net.debug" to "ssl". I noticed that both the clients pick up the same trust store (default JDK trust store) and use the same protocol (TLSv1). However, the differences were here
I noticed that the following extension was returned by the JDK
Extension server_name, server_name: [host_name: websitehostname]
while the above extension was missing in the Apache web client debug log.
Also, one more difference I saw was in the certficate chain
The below response from JDK native
* Certificate chain chain [0] = [ [ Version: V3 Subject: **CN=websitename, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)13, OU=GT17702541, SERIALNUMBER=Q2La1fpFlFdNy4kUCIehYlMvw6bq64Ch Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
while in apache client the following
chain [0] = [ [ Version: V3 Subject: EMAILADDRESS=root@i4319, CN=i4319, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=-- Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
and obviously I get the following exception with apache https client.
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Before I go back and redo my work to use the JDK native client, I would like to know what is happening. Any insight on this behaviour would be appreciated.
回答1:
After a lot of searching looks like this weird issue is because of lack of SNI support in Apache Client. Here is the JIRA that discusses the problem and possible solution here
https://issues.apache.org/jira/browse/HTTPCLIENT-1119
and a possible work around here
https://wiki.apache.org/HttpComponents/SNISupport
来源:https://stackoverflow.com/questions/17975295/certificate-chain-different-between-httpsurlconnection-and-apache-system-defau