<html><head>
<meta name="Generator" content="Novell Groupwise Client (Version 18.1.0 Build: 132042)">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head>
<body style="font: 10pt/normal Segoe UI; font-size-adjust: none; font-stretch: normal;"><div class="GroupWiseMessageBody" id="GroupWiseSection_1539033519000_Daniel.Christensen@microfocus.com_05206B6010D10000A74B740017007100_"><div>I have a custom HostnameVerifier that attempts to examine the certificate chain using SSLSession#getPeerCertificates(). After upgrading to Java 11, where it seems that TLSv1.3 is used by default, I am seeing that getPeerCertificates() throws an SSLPeerUnverifiedException after an HTTP redirect has occurred. If I force the protocol to TLSv1.2 this does not occur. If there is no redirect, then this does not occur.</div><div><br></div><div>Is this a bug in Java or a change in behavior with TLSv1.3?</div><div><br></div><div>The code below demonstrates the problem when 'protocol' is either 'TLS' or 'TLSv1.3' and path is '/redirect'.</div><div><br></div><div>doTest("TLSv1.3", "/redirect"); // Fails with SSLPeerUnverifiedException</div><div><div>doTest("TLSv1.3", "/content"); // Succeeds</div><div>doTest("TLSv1.2", "/redirect"); // Succeeds</div><div><div><div>doTest("TLSv1.2", "/content"); // Succeeds</div></div></div></div><div><br></div><div> private void doTest(String protocol, String path) throws IOException, NoSuchAlgorithmException, KeyManagementException<br> {<br> whenHttp(server)<br> .match(get("/redirect"))<br> .then(status(HttpStatus.MOVED_PERMANENTLY_301), contentType("text/html"), header("Location", "/content"), stringContent("redirected"));<br> whenHttp(server)<br> .match(get("/content"))<br> .then(ok(), contentType("text/html"), stringContent("ok"));<br><br> URL url = new URL("https", "localhost", server.getPort(), path);<br> HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();<br> SSLContext ctx = SSLContext.getInstance(protocol);<br> TrustManager[] tms = {new X509TrustManager()<br> {<br> @Override public void checkClientTrusted(X509Certificate[] chain, String authType){}<br> @Override public void checkServerTrusted(X509Certificate[] chain, String authType){}<br> @Override public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }<br> }};<br> ctx.init(null, tms, new SecureRandom());<br> conn.setSSLSocketFactory(ctx.getSocketFactory());<br> conn.setHostnameVerifier(new HostnameVerifier()<br> {<br> @Override<br> public boolean verify(String hostname, SSLSession session)<br> {<br> java.security.cert.Certificate[] chain = null;<br> try<br> {<br> chain = session.getPeerCertificates();<br> }<br> catch (SSLPeerUnverifiedException e)<br> {<br> throw new RuntimeException(e);<br> }<br> return true;<br> }<br> });<br> int status = conn.getResponseCode();<br> assertEquals(200, status);<br> }</div><div><br></div><div><br></div><div>Thanks,</div><div>Dan<br></div><span id="GWSignatureSent" style="padding-right: 0px; padding-left: 0px; margin-bottom: 5px; display: block;"><span style="display: block;"><br><span style="font-size: 10pt; display: inline-block; -ms-word-wrap: normal;">
<div>Daniel L. Christensen</div>
<div>Distinguished Engineer</div>
<div>Micro Focus</div><div><a href="http://www.microfocus.com">http://www.microfocus.com</a></div></span></span></span><span style="margin-bottom: 5px; display: block;"><br></span></div></body></html>