javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name

[DareBoost]

Hi !

I got an SSLProtocolException when I try to access https://www.allianz.fr or https://www.fluo.com/ through browsermob-proxy.

javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name
    at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:275)
    at net.lightbody.bmp.proxy.http.TrustingSSLSocketFactory.createLayeredSocket(TrustingSSLSocketFactory.java:77)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:254)
    at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:123)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:318)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
    at net.lightbody.bmp.proxy.http.BrowserMobHttpClient.execute(BrowserMobHttpClient.java:824)
    at net.lightbody.bmp.proxy.http.BrowserMobHttpClient.execute(BrowserMobHttpClient.java:625)
    at net.lightbody.bmp.proxy.http.BrowserMobHttpRequest.execute(BrowserMobHttpRequest.java:148)
    at net.lightbody.bmp.proxy.BrowserMobProxyHandler.proxyPlainTextRequest(BrowserMobProxyHandler.java:265)
    at net.lightbody.bmp.proxy.selenium.SeleniumProxyHandler.handle(SeleniumProxyHandler.java:185)
    at net.lightbody.bmp.proxy.jetty.http.HttpContext.handle(HttpContext.java:1509)
    at net.lightbody.bmp.proxy.jetty.http.HttpContext.handle(HttpContext.java:1461)
    at net.lightbody.bmp.proxy.jetty.http.HttpServer.service(HttpServer.java:892)
    at net.lightbody.bmp.proxy.jetty.http.HttpConnection.service(HttpConnection.java:815)
    at net.lightbody.bmp.proxy.jetty.http.HttpConnection.handleNext(HttpConnection.java:981)
    at net.lightbody.bmp.proxy.jetty.http.HttpConnection.handle(HttpConnection.java:832)
    at net.lightbody.bmp.proxy.jetty.http.SocketListener.handleConnection(SocketListener.java:245)
    at net.lightbody.bmp.proxy.jetty.util.ThreadedServer.handle(ThreadedServer.java:357)
    at net.lightbody.bmp.proxy.jetty.util.ThreadPool$PoolThread.run(ThreadPool.java:534)

It seems to be due to the Server Name Indication (http://www.ietf.org/rfc/rfc4366.txt : page 8)
which is enabled by default in Java 7.
http://stackoverflow.com/questions/7615645/ssl-handshake-alert-unrecognized-name-error-since-upgrade-to-java-1-7-0

The simpliest way to resolve the issue would be to add a flag to disabled SNI :
java -Djsse.enableSNIExtension=false

But it will disabled the SNI for all the JVM, so it may cause trouble to access other website which required SNI.

A solution to enable SNI and still support misconfigured server is suggest here: http://stackoverflow.com/a/14884941

But I'm not sure it's the best way to do it.
Any opinion ?

Thanks

[lightbody]

Unfortunately this is getting way outside my expertise. I'm happy to defer to more knowledgeable folks when it comes to SSL.

[kevin-miles]

+1 on this issue

[jekh]

Besides some minor HAR bug fixes, getting LP + certificate-spoofing MITM + bouncy castle working properly is my top priority for the next release. @kevin-miles - do you have any other examples of sites that consistency reproduce the unrecognized_name issue (or other SSL issues)? That'd be very helpful when I start digging into this.

[kevin-miles]

@jekh sorry, the only place I can consistently reproduce is on internal environments for a client. i wish i could give you access to these, but sadly cannot 😞

[jpereira06]

I'm getting this error with http://www.as.com always

[jpereira06]

http://www.finofilipino.org also fires this error

[chvbrr]

Any solution for this?

[jekh]

There isn't a solution that I'm aware of. I haven't had time to tackle this problem yet. Fixing SSL issues is the next big item on the backlog. Any investigation from the community?

[calamaty2000]

Here's another:
https://www.firemansfund.com

Also, this isn't the same issue, but it's an SSL issue. The URL is:
https://www.valueoptions.com

The solution for now is to modify my java.security file, as explained here:
https://www.richardnichols.net/2012/08/arrrggh-java-security-cert-certificateexception-certificates-does-not-conform-to-algorithm-constraints/
It would be great if this could work without having to modify my java.security file.

[chvbrr]

We implemented this by using apache httpclient and our own protocol socket factory in which we set sslParams.setServerNames to an empty list.

This is what we have in our CustomSocketFactory which implements SecureProtocolSocketFactory.

 @Override
protected void setupSocket(Socket socket, HttpConnectionParams connectParams) throws IOException {
        SSLSocket sslSocket = (SSLSocket) socket;
        setServerNames(sslSocket);
        sslSocket.startHandshake();
}

private void setServerNames(SSLSocket sslSocket) {
    List<SNIServerName> serverNames  = Collections.<SNIServerName> emptyList();
    SSLParameters sslParams = sslSocket.getSSLParameters();
    sslParams.setServerNames(serverNames);
    sslSocket.setSSLParameters(sslParams);
}

Use this factory to construct Protocol object, which we used in HostConfiguration.setHost().
Use this hostConfig to call HttpClient.executeMethod()

Even though i did not provide entire code as it is proprietary, this might be a good starting point to investigate. Hope this helps.

[jpereira06]

more info about this:

if a try to load "http://entradas.ataquilla.com" a "io.netty.handler.codec.DecoderException: javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name" is fired and Firefox is unable to connect to the web.

If I set the property System.setProperty("jsse.enableSNIExtension", "false"); then previous page is load properly but pages based on virtual hosts, like https://vikinguard.com, stop working!

any idea?

[ganskef]

Hi @jekh , this is a general problem with SSL implemented in Java:

• No peer address means no SNI enabled sites (there are a lot). see: [WIP] Fix for hosts using SNI (issue #207) adamfisk/LittleProxy#210
• With peer address means unrecognized_name exception with some servers. see: SSLProtocolException: handshake alert: unrecognized_name with https://wiki.gnome.org ganskef/LittleProxy-mitm#2 (https://wiki.gnome.org/ is fixed now, https://www.fluo.com/ from the top, too :-) )

The reason is a wrong configuration of virtual hosts on the server side. The server sends a warning, browsers are ignoring it, but Java terminates. Oracle means it's "not a defect": http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7127374

The connection is terminated during handshake. A workaround might be to reconnect without peer address in case of unrecognized_name. This has to be implemented deep in LittleProxy.

An other idea could be the use of the alternate OpenSSL implementation of Netty instead of the JDK implementation, but I haven't tried it yet.

[jekh]

This is fixed with the latest release, so I'll go ahead and close.