SSLProtocolException: handshake alert: unrecognized_name: client-side code workaround?

java apache-httpclient-4.x sni
stblassitude picture stblassitude · May 26, 2014 · Viewed 10.4k times · Source

In a custom HTTP client retrieving XML data, I'm getting the unrecognized_name error. The answers to similar questions unfortunately do not work for me:

  • I cannot switch off SNI support via the system property since my code is running inside an application server, over which I have no control
  • I cannot fix the web service server configuration (to add a ServerName)

Right now, my code is using commons httpclient 3.1, but I'm open to alternatives. Here's the abridged code I'm using right now:

HttpClient client = new HttpClient();
PostMethod method = new PostMethod(getEndpointUrl());
NameValuePair[] data = {
    new NameValuePair("username", getUsername()),
    new NameValuePair("password", getPassword()),
    new NameValuePair("email", email)
};
method.setRequestBody(data);
client.executeMethod(method);
return method.getResponseBodyAsStream();

I've looked at HttpClient, and it seems that I can implement a workaround similar to the one mentioned in https://stackoverflow.com/a/14884941/3676401, but seems to be a lot of potentially security-relevant code.

I'm rather loathe to dump a large amount of code into an otherwise simple client. Any other suggestions?

Answer

bluehallu picture bluehallu · May 26, 2014

You're connecting to a server that has missconfigured SNI. If you have no control over that server and cannot get it fixed, then you will have to disable SNI.

1) If you expect the server to be fixed at some point, use the runtime flag to disable SNI temporarily until the server is fixed. This way you can just remove this flag later without even needing to recompile once the server is fixed.

java -Djsse.enableSNIExtension=false

2) If you don't expect the server will ever be fixed, implement a permanent workaround such as disabling SNI in your application:

System.setProperty("jsse.enableSNIExtension", "false");

The workaround the answer you link mentions ultimately disables SNI anyway in a much more cumbersome way, so unless you need SNI somewhere else in your application I would just go with one of the options above.

Related questions

Trusting all certificates using HttpClient over HTTPS

Recently posted a question regarding the HttpClient over Https (found here). I've made some headway, but I've run into new issues. As with my last problem, I can't seem to find an example anywhere that works for me. Basically, I …

Read More
How can I get an http response body as a string in Java?

I know there used to be a way to get it with apache commons as documented here: http://hc.apache.org/httpclient-legacy/apidocs/org/apache/commons/httpclient/HttpMethod.html and an example here: http://www.kodejava.org/examples/416.html but …

Read More
How to ignore SSL certificate errors in Apache HttpClient 4.0

How do I bypass invalid SSL certificate errors with Apache HttpClient 4.0?

Read More