Question

Webservice: Dealing with/bypassing non-valid certificate on testsite

0

Again a webservice question. The webservice I am trying to call is on a site with a non-valid certificate. The error I get is: Caused by: com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching test.<xxxx>.com found at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:132) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:256) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:184) at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:137) When asking the webservice provider to implement a valid certificate I get the reply that this is an apache default value which cannot be changed. My questions: Does that make sense? If so, is there a way that I can bypass the validity check (especially for testing)? UPDATE: I have added JVM parameter: -Dsun.security.ssl.allowUnsafeRenegotiation=true. I now get the message: Caused by: com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching test.<xxxx>.com found at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:132) Does that mean that this option does not work for my configuration? Should I do more.

asked 2011-12-01

Frans Verschoor (FraternIT)

3 answers

Hans van Kranenburg · Answer 1 · 2011-12-01

Using -Dsun.security.ssl.allowUnsafeRenegotiation=true is wrong and is not a fix for this issue. You are getting the same error, and you're more vulnerable to man in the middle attacks now.

The Apache story is nonsense, of course SSL key/certificate can be adjusted in the configuration.

A 'proper certificate' to be used is a certificate with matching hostname, signed by an Authority that is trusted by the client.

For testing, it would be possible to set up a test Certificate Authority, used to sign test certificates with the right names and validity dates. The test Certificate Authority Certificate could be imported in the keystore your JVM uses.

Alternatively, you can circumvent Certificate checking by overriding the Validation code, something like: http://exampledepot.com/egs/javax.net.ssl/TrustAll.html (not tested)

Samet Kaya · Answer 2 · 2011-12-01

Maybe this could help you.

Sebastiaan van den Broek · Answer 3 · 2011-12-01

You can open the certificate (double click in windows) and see which domain name it should match. It seems you're connecting to some test server (since it says "No name matching test.<xxxx>.com found") and they probably did not give you a certificate for this url. There may be workarounds but I don't know of any other than what Samet already mentioned. I'd try getting them to give you a proper certificate for the test url.