SSLPeerUnverifiedException with LDAP+StartTLS on OpenJDK 1.8.0_272
Issue
After updating OpenJDK from java-1.8.0-openjdk-1.8.0.265.b01-4.el8.x86_64 to java-1.8.0-openjdk-1.8.0.272.b10-3.el8_3.x86_64, the LDAP JNDI client code start throwing the following exception:
javax.net.ssl|ALL|01|main|2020-11-13 13:00:19.543 JST|Logger.java:765|Invalidated session: Session(1605240019463|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate.
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:447)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:225)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:170)
at sample.LdapClientStartTLS.search(LdapClientStartTLS.java:38)
at sample.LdapClientStartTLS.main(LdapClientStartTLS.java:24)
Caused by: java.security.cert.CertificateException: Illegal given domain name:
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:207)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:102)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:108)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:426)
... 4 more
Caused by: java.lang.IllegalArgumentException: Server name value of host_name cannot be empty
at javax.net.ssl.SNIHostName.checkHostName(SNIHostName.java:314)
at javax.net.ssl.SNIHostName.<init>(SNIHostName.java:108)
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:205)
... 7 more
Environment
- Red Hat Enterprise Linux (RHEL) 8
- Red Hat OpenJDK
- 1.8.0_272
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
