Subject: Error #5: Keystore is loaded but it's not bearing the hostname
Author: authen
In response to: Error #4: Keystore is loaded but it's untrusted
Posted on: 02/26/2008 06:52:23 PM
If your server's certificate is bearing a subject, say 'CN=ServerB,DC=myCompany,DC=com', that is different from the hostname of the machine, say 'ServerA', on which your server is running, you might have troubles in convincing your clients that the server is a genuine one. It's up to your clients to trust it or not.
For clients using Sun JDK SSL library, for example, the hostname unmatched certificate is acceptable.
For clients using JDNI StartTLS library, for example, the hostname unmatched certificate is NOT acceptable and the following exception is, on client side, thrown:
javax.net.ssl.SSLPeerUnverifiedException: hostname of the server 'ServerA'
does not match the hostname in the server's certificate.
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:437)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:216)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:210)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:416)
... 3 more
>
> On 02/26/2008 02:50:24 PM
authen wrote:
If your server is running on a keystore with certificate trusted by well-known root Certificate Authorities (CA) like VeriSign, your client's applications should recognize and trust your server's certificate quite smoothly. If your server's certificate is trusted only by intermediate Certificate Authorities or even self-signed, your client's applications have to manually decided whether or not to trust your server's certificate.
If the client rejected your certificate, you would see something like this:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
References: