<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Daniel thanks for bringing this up, this sounds like
<a class="moz-txt-link-freetext" href="https://bugs.openjdk.java.net/browse/JDK-8212885">https://bugs.openjdk.java.net/browse/JDK-8212885</a>. I'm very close to
a fix on this one, just working out a few issues in testing.<br>
<br>
--Jamil<br>
<br>
<div class="moz-cite-prefix">On 10/8/2018 2:34 PM, Daniel
Christensen wrote:<br>
</div>
<blockquote type="cite"
cite="mid:5BBBCD48020000BE0009B4B0@prvgwdev-52.provo.novell.com">
<meta name="Generator" content="Novell Groupwise Client (Version
18.1.0 Build: 132042)">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div class="GroupWiseMessageBody"
id="GroupWiseSection_1539033519000_Daniel.Christensen@microfocus.com_05206B6010D10000A74B740017007100_">
<div>I have a custom HostnameVerifier that attempts to examine
the certificate chain using SSLSession#getPeerCertificates().
After upgrading to Java 11, where it seems that TLSv1.3 is
used by default, I am seeing that getPeerCertificates() throws
an SSLPeerUnverifiedException after an HTTP redirect has
occurred. If I force the protocol to TLSv1.2 this does not
occur. If there is no redirect, then this does not occur.</div>
<div><br>
</div>
<div>Is this a bug in Java or a change in behavior with TLSv1.3?</div>
<div><br>
</div>
<div>The code below demonstrates the problem when 'protocol' is
either 'TLS' or 'TLSv1.3' and path is '/redirect'.</div>
<div><br>
</div>
<div>doTest("TLSv1.3", "/redirect"); // Fails with
SSLPeerUnverifiedException</div>
<div>
<div>doTest("TLSv1.3", "/content"); // Succeeds</div>
<div>doTest("TLSv1.2", "/redirect"); // Succeeds</div>
<div>
<div>
<div>doTest("TLSv1.2", "/content"); // Succeeds</div>
</div>
</div>
</div>
<div><br>
</div>
<div> private void doTest(String protocol, String path)
throws IOException, NoSuchAlgorithmException,
KeyManagementException<br>
{<br>
whenHttp(server)<br>
.match(get("/redirect"))<br>
.then(status(HttpStatus.MOVED_PERMANENTLY_301),
contentType("text/html"), header("Location", "/content"),
stringContent("redirected"));<br>
whenHttp(server)<br>
.match(get("/content"))<br>
.then(ok(), contentType("text/html"),
stringContent("ok"));<br>
<br>
URL url = new URL("https", "localhost",
server.getPort(), path);<br>
HttpsURLConnection conn =
(HttpsURLConnection)url.openConnection();<br>
SSLContext ctx = SSLContext.getInstance(protocol);<br>
TrustManager[] tms = {new X509TrustManager()<br>
{<br>
@Override public void
checkClientTrusted(X509Certificate[] chain, String authType){}<br>
@Override public void
checkServerTrusted(X509Certificate[] chain, String authType){}<br>
@Override public X509Certificate[]
getAcceptedIssuers() { return new X509Certificate[0]; }<br>
}};<br>
ctx.init(null, tms, new SecureRandom());<br>
conn.setSSLSocketFactory(ctx.getSocketFactory());<br>
conn.setHostnameVerifier(new HostnameVerifier()<br>
{<br>
@Override<br>
public boolean verify(String hostname, SSLSession
session)<br>
{<br>
java.security.cert.Certificate[] chain = null;<br>
try<br>
{<br>
chain = session.getPeerCertificates();<br>
}<br>
catch (SSLPeerUnverifiedException e)<br>
{<br>
throw new RuntimeException(e);<br>
}<br>
return true;<br>
}<br>
});<br>
int status = conn.getResponseCode();<br>
assertEquals(200, status);<br>
}</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Dan<br>
</div>
<span id="GWSignatureSent" style="padding-right: 0px;
padding-left: 0px; margin-bottom: 5px; display: block;"><span
style="display: block;"><br>
<span style="font-size: 10pt; display: inline-block;
-ms-word-wrap: normal;">
<div>Daniel L. Christensen</div>
<div>Distinguished Engineer</div>
<div>Micro Focus</div>
<div><a href="http://www.microfocus.com"
moz-do-not-send="true">http://www.microfocus.com</a></div>
</span></span></span><span style="margin-bottom: 5px;
display: block;"><br>
</span></div>
</blockquote>
<br>
</body>
</html>