Reputation: 5657
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified, for no self-signed cert
Problem
Recently I noticed that 1-0.5% of all users faced with javax.net.ssl.SSLPeerUnverifiedException during simple GET over HTTPS.
But they looks interesting: exception message contains certificates information and according to this information certs doesn't related to my server, example of exceptions is:
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified: certificate: sha256/AUSXlKDCf1X30WhWeAWbjToABfBkJrKWPL6KwEi5VH0= DN: CN=hautdebitmobile.orange.fr,OU=Orange France,O=Orange,L=Paris,ST=Paris,C=FR subjectAltNames: [hautdebitmobile.orange.fr]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified: certificate: sha256/LKtpdq9q7F7msGK0w1+b/gKoDHaQcZKTHIf9PTz2u+U= DN: CN=wireless.wifirst.net,OU=Gandi Standard SSL,OU=Domain Control Validated subjectAltNames: [wireless.wifirst.net, www.wireless.wifirst.net]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified: certificate: sha256/TfZXN7z9Tky/Z84sfOJcq4lhD3kNY4fPp3gKUZ27ekE= DN: CN=.internet-access.center,OU=Gandi Standard Wildcard SSL,OU=Domain Control Validated subjectAltNames: [.internet-access.center, internet-access.center]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified: certificate: sha256/Bx0LzMlqtgOKRIfUR4cQfb7yDy+3iotESgqk9HvWTOA= DN: CN=.nomosphere.fr,OU=Gandi Standard Wildcard SSL,OU=Domain Control Validated subjectAltNames: [.nomosphere.fr, nomosphere.fr]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified: certificate: sha256/zaV2Aw1A742R1+WpXWvL5atsJbGmeSS6dzZOfe6f1Yw= DN: CN=login.globalsuite.net,OU=COMODO SSL Unified Communications,OU=Domain Control Validated subjectAltNames: [login.globalsuite.net, *.gtkcentral.net, *.gtkserver.net]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified: certificate: sha256/UwOkRGMlP0K/mKNJdpQ0sTg2ean9Tje8UTOvFYzt1GE= DN: CN=login.netinary.net,OU=Security,O=NETINARY,L=MARSEILLE,ST=Bouches-du-Rhône,C=FR subjectAltNames: [login.netinary.net]
At first look these certs looks like random, but after quick research I have found that domains which mentioned there related to internet providers
Question
- Is it possible case that this exception happens when end user haven't access to internet and it's just redirected to an provider specific site (to login, or put some money into account)?
Upvotes: 2
Views: 3589
Answers (1)
Reputation: 9954
Your assumption could be right.
It looks like there is a Man in the Middle (MitM) intercepting the traffic which creates a certificate (either selfsigned or by a intermediate CA) that is not accepted by Java.
Java, by default, only accepts certificates from trusted CAs at the root. The trusted certificates are located in the file cacerts in your Java installation.
Upvotes: 1
Related Questions
- OkHttp javax.net.ssl.SSLPeerUnverifiedException: Hostname domain.com not verified
- how to solve javax.net.ssl.SSLPeerUnverifiedException: Hostname .com not verified:
- javax.net.ssl.SSLPeerUnverifiedException: Hostname xx.yy.subdomain.domain.com not verified:
- javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified:
- Java SSLException: hostname in certificate didn't match. Veryfing wrong certificate?
- javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.1.2 not verified
- OkHttp: SSLPeerUnverifiedException Failed to find a trusted cert that signed X.509 Certificate
- "javax.net.ssl.SSLException: Not trusted server certificate" exception in Android
- Got 'IOException: hostname was not verified', although given hostname (IP address) matches common name
- Android SSL HostName Was Not Verified