Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL "Peer Not Authenticated" error with HttpClient 4.1

Tags:

I am building a simple app monitor to poll one of our API URLs and email us if it can't get a HTTP 200 status code from the response (this would indicate our API is down for some reason).

I am using HttpClient 4.1 (this is important because its API differs greatly from 3.x).

Our API is secure with SSL, however entering:

http://example.com/our-api

into a web browser redirects you to

https://example.com/our-api

Without causing any errors.

When HttpClient attempts to hit this URL (http://example.com/our-api), it fails with a javax.net.ssl.SSLPeerUnverifiedException exception with a message stating:

peer not authenticated

I see this happening a lot for other people as is evidenced by this post (which also provides some ways of circumventing this problem - a solution that I am going to try and implement tonight in fact).

What this other post (and the other similar ones to it) do not do is explain why this is happening in the first place! So, rather than ask "how do I fix this?" I figured I would ask "why is this happening?" Before I go barging ahead with one of the proposed solutions, I'd like to know what the problem is that I'm attempting to fix ;-)

like image 985
IAmYourFaja Avatar asked Jul 31 '12 23:07

IAmYourFaja


People also ask

How do I fix peer not authenticated?

Resolving the problem The workaround is to extract the WebSphere Application Server certificate and add the extracted certificate to a new certificate store. Then, point the JVM that is running the Data Import command line to the new certificate store.

What does peer not authenticated mean?

This exception indicates that the Java application's truststore was unable to validate the certificate chain. This can occur when the external target's certificates have not been imported into the truststore or one or more of the certificates have expired.

What is SSLPeerUnverifiedException?

Class SSLPeerUnverifiedExceptionIndicates that the peer's identity has not been verified.


1 Answers

If the server's certificate is self-signed, then this is working as designed and you will have to import the server's certificate into your keystore.

Assuming the server certificate is signed by a well-known CA, this is happening because the set of CA certificates available to a modern browser is much larger than the limited set that is shipped with the JDK/JRE.

The EasySSL solution given in one of the posts you mention just buries the error, and you won't know if the server has a valid certificate.

You must import the proper Root CA into your keystore to validate the certificate. There's a reason you can't get around this with the stock SSL code, and that's to prevent you from writing programs that behave as if they are secure but are not.

like image 73
Jim Garrison Avatar answered Sep 30 '22 20:09

Jim Garrison