<html><head>

<meta name="Generator" content="Novell Groupwise Client (Version 18.1.0  Build: 132042)">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head>
<body style="font: 10pt/normal Segoe UI; font-size-adjust: none; font-stretch: normal;"><div class="GroupWiseMessageBody" id="GroupWiseSection_1539033519000_Daniel.Christensen@microfocus.com_05206B6010D10000A74B740017007100_"><div>I have a custom HostnameVerifier that attempts to examine the certificate chain using SSLSession#getPeerCertificates(). After upgrading to Java 11, where it seems that TLSv1.3 is used by default, I am seeing that getPeerCertificates() throws an SSLPeerUnverifiedException after an HTTP redirect has occurred. If I force the protocol to TLSv1.2 this does not occur. If there is no redirect, then this does not occur.</div><div><br></div><div>Is this a bug in Java or a change in behavior with TLSv1.3?</div><div><br></div><div>The code below demonstrates the problem when 'protocol' is either 'TLS' or 'TLSv1.3' and path is '/redirect'.</div><div><br></div><div>doTest("TLSv1.3", "/redirect"); // Fails with SSLPeerUnverifiedException</div><div><div>doTest("TLSv1.3", "/content"); // Succeeds</div><div>doTest("TLSv1.2", "/redirect"); // Succeeds</div><div><div><div>doTest("TLSv1.2", "/content"); // Succeeds</div></div></div></div><div><br></div><div>    private void doTest(String protocol, String path) throws IOException, NoSuchAlgorithmException, KeyManagementException<br>    {<br>        whenHttp(server)<br>                .match(get("/redirect"))<br>                .then(status(HttpStatus.MOVED_PERMANENTLY_301), contentType("text/html"), header("Location", "/content"), stringContent("redirected"));<br>        whenHttp(server)<br>                .match(get("/content"))<br>                .then(ok(), contentType("text/html"), stringContent("ok"));<br><br>        URL url = new URL("https", "localhost", server.getPort(), path);<br>        HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();<br>        SSLContext ctx = SSLContext.getInstance(protocol);<br>        TrustManager[] tms = {new X509TrustManager()<br>        {<br>            @Override public void checkClientTrusted(X509Certificate[] chain, String authType){}<br>            @Override public void checkServerTrusted(X509Certificate[] chain, String authType){}<br>            @Override public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }<br>        }};<br>        ctx.init(null, tms, new SecureRandom());<br>        conn.setSSLSocketFactory(ctx.getSocketFactory());<br>        conn.setHostnameVerifier(new HostnameVerifier()<br>        {<br>            @Override<br>            public boolean verify(String hostname, SSLSession session)<br>            {<br>                java.security.cert.Certificate[] chain = null;<br>                try<br>                {<br>                    chain = session.getPeerCertificates();<br>                }<br>                catch (SSLPeerUnverifiedException e)<br>                {<br>                    throw new RuntimeException(e);<br>                }<br>                return true;<br>            }<br>        });<br>        int status = conn.getResponseCode();<br>        assertEquals(200, status);<br>    }</div><div><br></div><div><br></div><div>Thanks,</div><div>Dan<br></div><span id="GWSignatureSent" style="padding-right: 0px; padding-left: 0px; margin-bottom: 5px; display: block;"><span style="display: block;"><br><span style="font-size: 10pt; display: inline-block; -ms-word-wrap: normal;">
<div>Daniel L. Christensen</div>
<div>Distinguished Engineer</div>
<div>Micro Focus</div><div><a href="http://www.microfocus.com">http://www.microfocus.com</a></div></span></span></span><span style="margin-bottom: 5px; display: block;"><br></span></div></body></html>