Versions Compared

Old Version 14

changes.mady.by.user Andrew Chapman

Saved on

compared with

New Version 15

changes.mady.by.user Robert Oschwald

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added SNI specific error and fixes to cure it
Excerpt

This page consists of an SSL error message troubleshooting reference followed by a discussion of SSL in Java that puts many of the solutions in context.

...

It is also worth checking that the certificate your CAS server is using for SSL encryption matches the one the client is checking against. For example, if your CAS server's ticket validator URL is https://subdomain.correctdomain.com/<something> and you have accidentally configured Tomcat to use the certificate for *.wrongdomain.com in it's SSL connector. You will get a bad certificate warning in the browser on the login page to hint at a problem but you ignore that warning (because you are using self signed certificates during development) and continue. Ticket validation will then fail with "java.security.cert.CertificateException: No name matching subdomain.correctdomain.com found" because the public key the CAS server is providing is for *.wrongdomain.com. The CAS client looks for the *.wrongdomain.com certificate in cacerts and then tries to find a matching CN or alternate within that certificate. It will completely ignore the beautifully crafted *.correctdomain.com certificate you carefully imported into cacerts.

Wildcard Certificates

JSSE support for wildcard certificates is limited to hosts strictly in the same domain as the wildcard. For example, a certificate with CN=.vt.edu matches hosts *a.vt.edu and b.vt.edu, but not a.b.vt.edu.

unrecognized_name Error

Code Block
titleJDK unrecognized_name SSL error
javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name

 

The above error occurs mainly in Oracle JDK 7 CAS Server installations. In JDK7, SNI (Server Name Indication) is enabled by default. When the HTTPD Server does not send the correct Server Name back, the JDK HTTP Connection refuses to connect and the exception stated above is thrown.

To fix the issue, you must ensure your HTTPD Server is sending back the correct hostname. E.g. in Apache HTTPD, you must set the ServerAlias in the SSL vhost:

Code Block
titleApache HTTPD ServerAlias to fix SNI error
ServerName your.ssl-server.name
ServerAlias your.ssl-server.name

 

Alternatively, you can disable the SNI detection in JDK7, by adding this flag to the Java options of your CAS Servers' application server configuration:

Code Block
titleDisable SNI in JDK7
-Djsse.enableSNIExtension=false

 

Keystore/TrustStore Reference

...