{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 我只想做你的唯一 的问题《CertificateException: No subject alternative names》','https://www.manongdao.com/q-670900.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am getting following exception while calling https webservice.
com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present.
I am calling a php webservice from Java code. The CN (Common Name) i.e. the IP address on certificate and the IP address I am calling are different. I have added the certificate in keystore of java. Can someone help me out why this is happening? Where I am going wrong? The CN is the server IP address. I am calling that server using its external IP address given too us because of firewall issue.
Java clients normally comply strictly with RFC 2818 when it comes to checking the server's identity with an IP address. This means the IP address has to be in a Subject Alternative Name entry, not in the CN. This this question for details.
Fixing the certificate to comply with RFC 2818 (i.e. put the IP address in an IP Address SAN) should fix the
java.security.cert.CertificateException: No subject alternative names present.exception.However, since you're not calling the server with the IP address in the certificate, you'll still have a problem. You get two options:
If you can get someone to fix the certificate, put two SAN entries, for internal and external IP addresses. This is by far the best option (only second best to setting up a name on that machine, which could prevent this sort of problems a bit better).
Import only that certificate in the truststore used by that connection and disable hostname verification. Do not disable hostname verification in general. The problem with disabling hostname verification is that any valid certificate can impersonate any other, which could be used for a MITM attack. If the only certificate you trust is that of the only server you want to connect to (which you can do by having a separate trust store just for this purpose) you limit this risk. As often, coding for these exceptional cases leads to bad legacy code that someone may pick up and use insecurely later. For this reason, fixing the certificate is by far the better option.
When a name is present in the Common Name (CN), it must also be present in the Subject Alternate Name (SAN). You have a malformed certificate (and it might have other problems). See Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, Section 9 (pages 9 & 10):
Bruno can probably cite the relevant section from RFC 6125.