Error retrieving metadata: SSLPeerUnverifiedException

Baron Fujimoto baron at
Thu Aug 27 22:34:53 EDT 2015

On Fri, Aug 28, 2015 at 01:27:57AM +0000, Cantor, Scott wrote:
>On 8/27/15, 9:18 PM, "users on behalf of Baron Fujimoto" <users-bounces at on behalf of baron at> wrote:
>>>Regardless you should be verifying the signtaure on the metadata and simply set the flag to disregard the TLS connection. That's the best choice.
>>Is this supported in IdPv2? I found documentation of this attribute under
>>the IdPv3, but not for IdPv2. This error also suggests no:
>It was called disregardSslCertificate originally, I don't know if it was ever renamed on V2. I also thought it was named disregardTlsCertificate now, not TLS.

Ahh, thanks yes. disregardSslCertificate at

And disregardTLSCertificate at

>>>If you must, you can work around the bug, apparently by setting -Djdk.tls.trustNameService=true on the JVM.
>>So assuming the best choice workaround is not an option, I guess that
>>leaves setting jdk.tls.trustNameService=true for the JVM?
>It is an option, but only if the file is actually signed obviously. Otherwise you can either roll back to an unbroken Java or use that override.

Roger, that. As it turns out in this case, I don't believe this metadata
at <> is signed after all.
If it were, it should have <ds:Signature>...</ds:Signature> and associated
elements, no?  (Judging by the InCommon metadata as an example.)

Baron Fujimoto <baron at> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

More information about the users mailing list