Reputation: 287
Java okhttp issues in redirect count and domain cert
I have three issues when I use okhttp to get content from these web sites:
http://www.wp.com has error with: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
http://www.macys.com has error with: java.net.ProtocolException: Too many follow-up requests: 21
http://www.vk.me has error with: javax.net.ssl.SSLPeerUnverifiedException: Hostname www.vk.me not verified: certificate: sha256/Sx09coMBYByu6GDlS0E6daYLDVLydbmJjFNkTANfSg4= DN: CN=.vk.com, OU=Domain Control Validated subjectAltNames: [.vk.com, vk.com]
UPDATED at 2016/06/12:
- http://www.wordpress.com has error with: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
How to fix above issues 1-4? thanks all!
Upvotes: 2
Views: 1620
Answers (2)
Reputation: 4602
Given that the sites have not been compromised:
(1) You are missing the root-CA certificate in your trusted store. This can happen, if the CA used by the website is not delivered with the jdk. You need to manually add it in the trusted store using keytool.
(2) I researched the error and found, that this is thrown by okhttp client, if it receives more than 20 redirect requests. My source is this: https://github.com/square/retrofit/issues/1561
Update: I just did a browser load page trace for macys.com. Impressive, you should give yourself the experience :-) The redirects are the normal load behavior of the page, the font is redirected zillions of times.
OkHTTP implements the max redirect value of 20 as a hardcoded value. https://github.com/square/okhttp/blob/master/okhttp/src/main/java/okhttp3/internal/http/HttpEngine.java (line 91)
(3) The domain name in the certificate does not match the certificate presented. This is a common error on multihomed pages.
To fix (1), besides adding the CA, you could implement the Java SSL certificate path validator as described here http://docs.oracle.com/javase/7/docs/technotes/guides/security/certpath/CertPathProgGuide.html#ValidationClasses
To fix (3) you need to implement a TrustManager as described here SSL Certificate Verification in Java
Upvotes: 2
Reputation: 24114
For your 3rd issue, you can try the following
private HostnameVerifier getHostnameVerifier() {
return new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier();
return hv.verify(".vk.com", session);
}
};
}
then
OkHttpClient client = new OkHttpClient.Builder()
.hostnameVerifier(getHostnameVerifier())
.build();
Upvotes: 1
Related Questions
- Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
- What are the differences between a HashMap and a Hashtable in Java?
- How do I declare and initialize an array in Java?
- Javamail Could not convert socket to TLS GMail
- How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?
- What is the difference between public, protected, package-private and private in Java?
- Unable to resolve "unable to get local issuer certificate" using git on Windows with self-signed certificate
- Java inner class and static nested class
- javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified, for no self-signed cert