Error retrieving metadata: SSLPeerUnverifiedException

Brent Putman putmanb at georgetown.edu
Thu Jun 18 18:34:50 EDT 2015 


On 6/18/15 5:30 PM, Brent Putman wrote:
>  
>> So this should work? Should I be looking elsewhere than the wildcard
>> cert for the source of the error?
>>
>> javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
>
> Like I said in my other note, this seems probably to be a bug on our
> end due to unexpected behavior of Java Secure Sockets Extensions
> (JSSE).  Can you confirm what exact version and vendor of Java you are
> running, and on what OS?
>
> If you can supply me with the actual metadata URL, I will attempt to
> reproduce.

Nevermind, I was able to trivially reproduce using some SSL socket
testing code I have lying around.

Good news, it looks like the underlying cause here is simply that this
particular server is not sending the correct intermediate cert in the
cert chain it returns.  According to the cert path that Firefox
successfully builds, the intermediate is not the one they are sending. 
(Looks like my Firefox probably has it cached from somewhere else, so
not getting from the wire).

So there's a fairly standard PKIX path validation error going on here. 
In my experience however this usually results in an IOException being
thrown in JSSE.  From what I can tell of the JSSE debug output, however,
it's not doing that here for some reason. It seems instead to just be
closing the socket and returning. Or maybe we're somehow swallowing it
that I'm not seeing.  Then our hostname verification code runs
unconditionally (expecting that an exception would have been thrown if
the socket wasn't ok), producing the spurious error above, because the
SSLSession is already closed/invalid. 

So we likely might have a bug here in our socket factory, but perhaps
not the same one as I originally thought. Indeed a more trivial one.

In any case, one fix is to add the correct intermediate certificate to
Java's cacerts trust store.  This allows the PKIX path construction to
succeed and resolves the error for me. I'm attaching the intermediate
cert.  You can add it to your JRE's jre/lib/security/cacerts like so:

keytool -importcert -keystore cacerts -storepass changeit -alias
idpgodaddyintermediate -file godaddy-firefox-inter-ca.crt


Alternatively, if you have some contact with the people running the web
server, you might just ask them to fix the cert chain that they are sending.


--Brent

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150618/8df41589/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: godaddy-firefox-inter-ca.crt
Type: application/x-x509-ca-cert
Size: 1756 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20150618/8df41589/attachment.bin>

More information about the users mailing list