CertificateException: No subject alternative DNS name found

Subject: CertificateException: No subject alternative DNS name found
Author: authen
In response to: SunCertPathBuilderException: unable to find valid certification path to requested target
Posted on: 07/03/2007 06:50:07 PM

In order to prevent man-in-the-middle attacks, the client MUST use the server hostname as expressed in the server's certificate, which is also referred to subject and is, most likely, in form of full NDS name.

env.put(Context.PROVIDER_URL, "ldap://myServerInDnsFullName:389");

Otherwise, you would get somethings like this:

javax.net.ssl.SSLPeerUnverifiedException: hostname of the server 'myServer' does not match the hostname in the server's certificate.
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:437)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:216)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)
at com.rli.slapd.client.ExternalTSLJndiClient.main(ExternalTSLJndiClient.java:122)
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching myServe found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:193)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
... 3 more

>
> On 07/03/2007 06:43:43 PM authen wrote:

If you do not have the correct trust store to verify server's certificate,
System.setProperty("javax.net.ssl.trustStore", "myTrustStore");

you would get somethings like this:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1522)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:180)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:861)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:111)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:509)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:447)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:822)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1034)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1061)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1045)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:344)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:208)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)

References:

Next Post: StartTLS - Code Example: Implicit Assertion of Client's Authorization Identity authen 07/03/2007 07:08:32 PM
Previous Post: SunCertPathBuilderException: unable to find valid certification path to requested target authen 07/03/2007 06:43:43 PM
Next Topic: StartTLS - Code Example: Implicit Assertion of Client's Authorization Identity authen 07/03/2007 07:08:32 PM
Previous Topic: StartTLS -- RFC 2830: Extension for Transport Layer Security authen 07/02/2007 01:21:55 PM
Index: by Date
Index: by Topic