SSL Websocket using StompClient -- SSL Certificate exception

I have simple Java StompClient connecting to Java websocket events. It works when server is configured as ws. Not able to connect when server is configured as wss. Code snippted below...

KeyStore truststore = KeyStore.getInstance("JKS");
truststore.load(this.getClass().getResourceAsStream("/truststore.jks"), "<hidden_pwd_for_thispost>".toCharArray());
KeyStore keystore = KeyStore.getInstance("JKS");;
keystore.load(this.getClass().getResourceAsStream("/keystore.jks"), "<hidden_pwd_for_thispost>".toCharArray());

SSLContext sslContext = new 
SSLContextBuilder().loadTrustMaterial(truststore, acceptingTrustStrategy);
            .loadKeyMaterial(keystore, "<hidden_pwd_forthisPost>".toCharArray()).build();
TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
StandardWebSocketClient client = new StandardWebSocketClient();
client.getUserProperties().clear();
client.getUserProperties().put("org.apache.tomcat.websocket.SSL_CONTEXT", sslContext);
WebSocketStompClient stompClient = new WebSocketStompClient(client);   
ListenableFuture<StompSession> sessionFuture = stompClient.connect(url, handler);
session = sessionFuture.get();

Exception

Caused by: java.security.cert.CertificateException: No name matching <myhost> found
at sun.security.util.HostnameChecker.matchDNS(Unknown Source)
at sun.security.util.HostnameChecker.match(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(Unknown Source)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)

Please note I have build keyStore and selfSigned trustStore locally. Anf both keyStore and trustStore has CN as my hostname. Verified above by running keytool -list

Can some please suggest. Your help much appreciated.

Apologies if this question is already answered, i have searched for while with no result. Hence posting.

Thanks,

2 answers

  • answered 2018-10-18 11:21 Ankur Chrungoo

    Does the Subject Alternative Name in your certificate match the Server Host name?

    X509v3 extensions:
        X509v3 Subject Alternative Name:
            DNS:<**HOST name which matches the server host name**>
    

    You can check this by using below steps:

    •   openssl s_client -connect <serverhostname>:<port on which you connect>
    •   Copy the string from -----BEGIN CERTIFICATE-----  till     -----END CERTIFICATE-----
    •   Paste the string into a .pem file, for example:- “test.pem”
    •   Run command:   openssl x509 -in test.pem -noout -text
    

    If SAN doesn't have the host name, then DN comes into picture: Refer this:- CertificateException: No name matching ssl.someUrl.de found


    UPDATE:

    If you are trying to achieve mutual authentication, that means both the server and the client should have their own certificate. Based on the code _stompClient.connect(url, handler); it seems to me that the Websocket server called by StompClient is acting as the server here, and your calling code is the client. Based on this understanding, you must configure your certificates correctly. I think you need to provide more details to the question to clarify how you have set things up. SSL is a complex topic, even a slight mistake in configuration can result in an error.(evident from the fact that WS is working but not WSS)


    UPDATE:

    Based on your updated comment, it means that client certificate is not in picture, so no mutual authentication, but only server certificate will be used by the client, and it will check if it trusts the server certificate which means the CA which signs the server certificate should be present in the client's trust store. If your server is accessible as a web-server you could try opening it via the browser and checking if it shows a valid certificate if you use https to access any resource/UI. That should at-least help in figuring out whether the certificate is properly configured or not.

  • answered 2018-10-18 14:57 Prashanth G

    Issue is Resolved.....Please check comments