Exception : javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Question

public HttpClientVM() {

    BasicHttpParams params = new BasicHttpParams();
    ConnManagerParams.setMaxTotalConnections(params, 10);
    HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
    HttpProtocolParams.setUseExpectContinue(params, false);
    HttpConnectionParams.setStaleCheckingEnabled(params, true);
    HttpConnectionParams.setConnectionTimeout(params, 30000);
    HostnameVerifier hostnameVerifier=
          org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
    HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
    SSLSocketFactory socketFactory = SSLSocketFactory.getSocketFactory();
    socketFactory.setHostnameVerifier((X509HostnameVerifier) hostnameVerifier);
    SchemeRegistry schemeRegistry = new SchemeRegistry();
    schemeRegistry.register(new Scheme("http",socketFactory, 80));
    schemeRegistry.register(new Scheme("https",socketFactory, 443));
        ThreadSafeClientConnManager manager = new ThreadSafeClientConnManager(params, schemeRegistry);
        // Set verifier     
        client = new DefaultHttpClient(manager, params);    
    }

Problem:

When executing client.accessURL(url), the following error occurs:

Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:495)
    at org.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:150)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:575)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)

Additional information:

• Window 7
• HttpClient 4

Answer 1

Spring application and "peer not authenticated" error

If you are experiencing this error while connecting to your Spring application, check the security configuration (@EnableWebSecurity, WebSecurityConfigurerAdapter, etc., based on what approach you use). If you secure the application's endpoints, make sure that you either add the target endpoint to exclusions (and do not require authentication) or ensure the proper authentication while trying to connect using the strategy that is set up in your application.

In my case, I was trying to connect to the application using WebSocket (with TLS support). I had this snippet in the security configuration (it's in Kotlin, but you will be able to get the idea):

@Bean
fun filterChain(http: HttpSecurity): SecurityFilterChain {
    http.csrf {
        it.disable()
    }.authorizeHttpRequests {
        it
            .requestMatchers(PUT, "/tasks/**").hasAuthority("<scope1>")
            .requestMatchers(POST, "/tasks").hasAuthority("<scope2>")
            .requestMatchers(GET, "/tasks").hasAuthority("<scope3>")
            .requestMatchers(GET, "/tasks/**").hasAuthority"<scope4>")
    }.oauth2ResourceServer {
        it.jwt(withDefaults())
    }

    return http.build()
}

Based on this config, all the incoming requests should be handled with an authenticated user. When I was trying to connect to wss://<host>:<port>/websocket using Postman, I was getting javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated error, because I didn't set up an authentication in Postman.

I adjusted the configuration by adding a new line into the authorizeHttpRequests section:

authorizeHttpRequests {
   it
     .requestMatchers(PUT, "/tasks/**").hasAuthority("<scope1>")
     .requestMatchers(POST, "/tasks").hasAuthority("<scope2>")
     .requestMatchers(GET, "/tasks").hasAuthority("<scope3>")
     .requestMatchers(GET, "/tasks/**").hasAuthority"<scope4>")
     .requestMatchers("/websocket").permitAll() // new setting
}

Using the new setting I can send a request to /websocket without authentication.

The second option was to set up authentication in Postman when I was trying to connect to the WebSocket using the first version of the configuration.

Answer 2

This is issue of Certificate that you created on system. You need to specify the IP while create certificate [Keystore] Please refer command.

keytool -genkeypair -alias baeldung -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore baeldung.p12 -validity 36500 -ext "SAN:c=DNS:<localhost/Server DNSName>,IP:"

Answer 3

If user Java 11.0.2 AdoptOpenJDK, may the bug, see jfrog article:

ARTIFACTORY: How to Resolve the javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Error When Using Java 11

Answer 4

The same issue I was facing we are using VPN this occurs when the captcha certificate is missing in your keystore.jks file.

1. Check if your server keystore has the captcha certificate or not, to do this use the below command. Go to your keystore.jks location and hit usr/java/jdk1.7.0_91/bin/keytool -list -v -keystore keystore.jks it will list all the certificate you have in it where : usr/java/jdk1.7.0_91/bin/keytool is the location of your java keytool you can use which javacommand if you are not sure of java path on your server.

2. If its not there then you have to download the captcha certifacte and install it to keystore, to do this follow the step:

a. Open : https://www.google.com/recaptcha/api/siteverify and click on the secure icon,Click on certificate is valid

b. Click on connection is secure

c. After that Click on details and export the certificate as .crt

d. Copy this .crt file on your server.

Go to the location of keystore.jks : 
Run this command : 
 /usr/java/jdk1.7.0_91/bin/keytool -import -alias googlecaptcha -keystore "/location/to/the/keystore.jks" -file "/location/to/crtfile/where/you/have/keep/ /on/server/googlecaptcha.crt"

NOTE : I have renamed www.google.com.crt as googlecaptcha.crt, also change the location parameter.

Once the certificate is installed you can use the list command (given in step 1) to verify it.

Here is the code snippet once the above process is done :

try {
          URL url = new URL(googleURL);
          if(proxy!=null){
              conn = (HttpURLConnection)url.openConnection(proxy);
          }else{
              conn = (HttpURLConnection)url.openConnection();
          }
          conn.setRequestMethod("POST");
          conn.setRequestProperty("Accept", "application/json");
            
          InputStreamReader in = new InputStreamReader(conn.getInputStream());
          BufferedReader br = new BufferedReader(in);
          StringBuilder sb = new StringBuilder();
          String output;
          while ((output = br.readLine()) != null) {
            System.out.println(output);
            sb.append(output);
          } 
          String responseNew = sb.toString();
           responseObject = (ImplValidateCaptchaGoogleResponse)this.mapper.readValue(responseNew, ImplValidateCaptchaGoogleResponse.class);
        
        } catch (Exception e) {
        LOGGER.debug("ERROR_OCCURED ::"+e.getMessage() );
          e.printStackTrace();
        } 
}

Answer 5

In my case, the server was running on Docker (using base image adoptopenjdk/openjdk11:alpine) and the issue was a TLS protocol level error (thanks to the following page for providing the explanation: https://jfrog.com/knowledge-base/how-to-resolve-the-javax-net-ssl-sslpeerunverifiedexception-peer-not-authenticated-error-when-using-java-11/).

The solution was eventually to run the client using the following java flag:

-Djdk.tls.client.protocols=TLSv1.2

Answer 6

You can get this if the client specifies "https" but the server is only running "http". So, the server isn't expecting to make a secure connection.

Answer 7

Expired certificate was the cause of our "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated".

keytool -list -v -keystore filetruststore.ts

    Enter keystore password:
    Keystore type: JKS
    Keystore provider: SUN
    Your keystore contains 1 entry
    Alias name: somealias
    Creation date: Jul 26, 2012
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=Unknown, OU=SomeOU, O="Some Company, Inc.", L=SomeCity, ST=GA, C=US
    Issuer: CN=Unknown, OU=SomeOU, O=Some Company, Inc.", L=SomeCity, ST=GA, C=US
    Serial number: 5011a47b
    Valid from: Thu Jul 26 16:11:39 EDT 2012 until: Wed Oct 24 16:11:39 EDT 2012

Answer 8

In my case I was using a JDK 8 client and the server was using insecure old ciphers. The server is Apache and I added this line to the Apache config:

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT

You should use a tool like this to verify your SSL configuration is currently secure: https://www.ssllabs.com/ssltest/analyze.html

Answer 9

This exception will come in case your server is based on JDK 7 and your client is on JDK 6 and using SSL certificates. In JDK 7 sslv2hello message handshaking is disabled by default while in JDK 6 sslv2hello message handshaking is enabled. For this reason when your client trying to connect server then a sslv2hello message will be sent towards server and due to sslv2hello message disable you will get this exception. To solve this either you have to move your client to JDK 7 or you have to use 6u91 version of JDK. But to get this version of JDK you have to get the MOS (My Oracle Support) Enterprise support. This patch is not public.

Answer 10

if you are in dev mode with not valid certificate, why not just set weClient.setUseInsecureSSL(true). works for me

Answer 11

This error is because your server doesn't have a valid SSL certificate. Hence we need to tell the client to use a different TrustManager. Here is a sample code:

SSLContext ctx = SSLContext.getInstance("TLS");
X509TrustManager tm = new X509TrustManager() {

    public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
    }

    public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException {
    }

    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }
};
ctx.init(null, new TrustManager[]{tm}, null);
SSLSocketFactory ssf = new SSLSocketFactory(ctx,SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
ClientConnectionManager ccm = base.getConnectionManager();
SchemeRegistry sr = ccm.getSchemeRegistry();
sr.register(new Scheme("https", 443, ssf));

client = new DefaultHttpClient(ccm, base.getParams());

Answer 12

This can also happen if you are attempting to connect over HTTPS and the server is not configured to handle SSL connections correctly.

I would check your application servers SSL settings and make sure that the certification is configured correctly.