CODEWITHSUNDEEP
javahttp-redirectssl
cjeddie2003
cjeddie2003

Reputation: 1

Java my HttpsURLConnection.connect fails unless hostname is exactly right?

I am trying to create a simple program to connect to a URL protected by SSL, get the server certs and print some details about them.

It works for sites when I test the URL they typically operate from like www.google.co.uk or uk.yahoo.com but it fails if the site isn't (e.g. yahoo.co.uk). yahoo.co.uk does redirect to uk.yahoo.com in a browser but even with .setInstanceFollowRedirects(true) when I connect via my app to yahoo.co.uk my connection fails with "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed"

I'm hoping someone might have come across it before and know what I'm doing wrong? below is the snippet that fails, I know it fails at httpsc.connect() but I don't get why it didn't follow the redirect to uk.yahoo.com to get the cert from that?

        URL url = new URL(url_to_test);
        HttpsURLConnection httpsc = (HttpsURLConnection) url.openConnection();
        httpsc.setInstanceFollowRedirects(true);
        httpsc.connect();
        System.out.println("RESPONSE = "+httpsc.getResponseCode());
        Certificate certs[] = httpsc.getServerCertificates();

Upvotes: 0

Views: 143

Answers (1)

Steffen Ullrich
Steffen Ullrich

Reputation: 123639

The problem is not with Java but with the invalid setup of the site. If you analyze yahoo.co.uk at SSLLabs you will notice the message

This server's certificate chain is incomplete. Grade capped to B.

This means that the server does not sent all intermediate certificates needed to build the trust chain. Some browsers like Chrome will download the missing certificates, other browsers like Firefox will try to fill in with intermediate certificates cached from former connections to other sites. If this is not possible (like with a newly created browser profile) Firefox will fail too with the message:

yahoo.co.uk uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.

Upvotes: 1

Related Questions