Discussion:
HTTP Client trying to POST - certificate subject name does not match target host name
(too old to reply)
J***@decipherworks.com.au
2017-09-22 01:18:19 UTC
Permalink
Raw Message
Hello

I am trying to POST over https, and running into "javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca"

I *think* the reason for this is that the certificate subject name does not match target host name for the destination I am trying to post to.


Is there a way in SDI I can get around this? I am thinking of the following options
* Can SDI not validate the https certificate?
* Can I set up a dns entry (in SDI?) so that destination matches the target hostname
* Can I use a different connector other than the HTTP Client connector?



I understand that the real solution would be for the target to use a valid certificate, but getting them to do this is proving difficult.


Thank you


Regards
Jason
yn2000
2017-09-22 20:57:21 UTC
Permalink
Raw Message
Just to add another option, if you are using TDI v7.1.1 or above, including SDI v7.2 there is a feature in the TDI CE (Console) to get certificate from the target server.
Navigation: HTTP Client >> Connection >> Get Certificate.
And that SSL certificated (which include the hostname) will be stored in your jks.

Rgds. YN.
Eddie Hartman
2017-09-24 12:21:46 UTC
Permalink
Raw Message
Post by yn2000
Just to add another option, if you are using TDI v7.1.1 or above, including SDI v7.2 there is a feature in the TDI CE (Console) to get certificate from the target server.
Navigation: HTTP Client >> Connection >> Get Certificate.
And that SSL certificated (which include the hostname) will be stored in your jks.
Rgds. YN.
You can also use this snippet of script in your solution, i.e. when you detect a missing cert, or just in the Javascript View at the bottom of the CE (next to the Console tab):

baseurl = "https://.....";
port = 443; // or the port you are trying to access
msg = com.ibm.di.security.GetSSLCertificate.installCertificateFrom(baseurl, port)

Remember that in the Javascript view you must assign all return results to variables so they appear in the panel to the right of the script area.

-Eddie
J***@decipherworks.com.au
2017-10-06 04:44:23 UTC
Permalink
Raw Message
Thanks for your replies

I still have my issue, but found the cause is that the HTTP Client connector is supplying a client certificate to the server

As part of the SSL/TLS handshake, the server sends a Certificate Request


What I am trying to do is return a "no digital certificate alert" and stop HTTP client connector sending it's personal certificate.


Thank you

Loading...