Two-way SSL authentication

Hi,

I'm currently trying to implement a client to connect to an outside restful service with two-way authentication. Testing using the server company's sample client, which uses Apache CXF, works fine and I can send messages. I'm trying to build a more lightweight client than their sample, however, so I don't want to use CXF. However, without using CXF, I'm getting a CertificateException, "No subject alternative names present," which my research indicates usually means there's an issue with the cert. But I know the client and server certs work, since they work in the sample client. And my code uses the same code to build the keystore and the truststore as theirs.

Any ideas as to why I would be getting this error?

My client code is below:

final URL url = new URL(endpoint+resource); final HttpsURLConnection urlc = (HttpsURLConnection) url.openConnection(); urlc.setDoInput(true); urlc.setDoOutput(false); urlc.setRequestMethod(requestMethod); urlc.setRequestProperty("Accept","application/x-protobuf"); urlc.setRequestProperty("Content-Type","application/x-protobuf"); urlc.setConnectTimeout(30000); urlc.setReadTimeout(30000); final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); final KeyStore ks = KeyStore.getInstance("JKS"); final File cert = new File(keystore); keyStream = new FileInputStream(cert); ks.load(keyStream, "changeit".toCharArray()); kmf.init(ks,"changeit".toCharArray()); final TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); final KeyStore trustks = KeyStore.getInstance("JKS"); final File trustcert = new File(truststore); trustStream = new FileInputStream(trustcert); trustks.load(trustStream, "changeit".toCharArray()); tmf.init(trustks); final SSLContext context = SSLContext.getInstance("TLS"); context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom()); final SSLSocketFactory factory = context.getSocketFactory(); urlc.setSSLSocketFactory(factory); urlc.setDoOutput(true); if (requestBuilder != null) { requestBuilder.build().writeTo(urlc.getOutputStream()); } if (urlc.getResponseCode() == 200) { return urlc.getInputStream(); }

Ok, I figured it out. It's a problem in the cert; the example code bypassed the CN check and my code didn't, so it worked in the example code.

Apparently the cert they gave me did not have the URL in the CN field and didn't include a subject alternative names field. For testing purposes, I was able to bypass this by setting a custom Hostname Verifier:

urlc.setHostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String hostname, SSLSession session) { System.out.println("Hostname is "+hostname); return true; } });

Interesting problem/solution. I gave you a cow for sharing it.