What means “javax.net.ssl.SSLHandshakeException: server certificate change is restrictedduring renegotiation” and how to prevent it?

Question

We use Oracle jdk 1.7.0_71 and Tomcat 7.0.55. Unfortunately we started to get the following exception during SSL connection between servers:

javax.net.ssl.SS         


        

Answer 1

Following code piece worked for us in an enterprise environment under the following conditions;

• seamless (run-time) certificate update is a critical requirement
• it is too costly to update the HTTPClient used in the application
• restricting https protocol to "TLSv1" doesn't have effect
• the application is a JNLP served java client and neither the "allowUnsafeServerCertChange" and "allowUnsafeRenegotiation" are not allowed to be passed to the client application via JNLP arguments (i'm guessing JWS is blocking them due to security reasons)

• setting the "allowUnsafeServerCertChange" and "allowUnsafeRenegotiation" via System.setProperty() calls during the bootstrap of the application doesn't have effect.

  if (e.getCause() instanceof SSLHandshakeException) {
      logger.debug("server https certificate has been altered");
      try {
          Class c = Class.forName("sun.security.ssl.ClientHandshaker");
          Field allowUnsafeServerCertChangeField = c.getDeclaredField("allowUnsafeServerCertChange");
          allowUnsafeServerCertChangeField.setAccessible(true);
          Field modifiersField = Field.class.getDeclaredField("modifiers");
          modifiersField.setAccessible(true);
          modifiersField.setInt(allowUnsafeServerCertChangeField, allowUnsafeServerCertChangeField.getModifiers() & ~Modifier.FINAL);
          allowUnsafeServerCertChangeField.set(null, true);
          logger.debug("client has been updated in order to support SSL certificate change (re-negotiation) on runtime.");
      }
      catch (Exception ex) {
          logger.debug("client cannot be updated to support SSL certificate change (re-negotiation) on runtime. Please restart the application.", ex);
      }
  }
  

Please note that this should be considered as a hack (introducing a vulnerability) and should be used in a trusted environment. One should try all the options in Yves' answer before going down this path.