JDK-8214440 : ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate"
  • Type: Bug
  • Component: core-libs
  • Sub-Component: javax.naming
  • Affected Version: 12
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2018-11-28
  • Updated: 2021-04-01
  • Resolved: 2019-01-10
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 8 Other
11.0.8-oracleFixed 13 b04Fixed 8u261Fixed openjdk8u275Fixed
Related Reports
Relates :  
JDK-8160768 - Add capability to custom resolve host/domain names within the default JNDI LDAP provider
Description
----------System.err:(35/2441)----------
javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate.
	at java.naming/com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:436)
	at java.naming/com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:225)
	at java.naming/com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:170)
	at LDAPExtendedOpTestBase.activateTLS(LDAPExtendedOpTestBase.java:58)
	at Read.activateTLS(Read.java:20)
	at Read.runTest(Read.java:34)
	at TestBase.launch(LDAPTestBase.java:210)
	at LDAPTestBase.launch(LDAPTestBase.java:19)
	at TestBase.run(LDAPTestBase.java:178)
	at LDAPTestBase.run(LDAPTestBase.java:19)
	at LDAPClosedTestBase.run(LDAPClosedTestBase.java:15)
	at Read.main(Read.java:23)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:567)
	at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
	at java.base/java.lang.Thread.run(Thread.java:835)
Caused by: java.security.cert.CertificateException: Illegal given domain name: 
	at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:192)
	at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:102)
	at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:108)
	at java.naming/com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:416)
	... 17 more
Caused by: java.lang.IllegalArgumentException: Server name value of host_name cannot be empty
	at java.base/javax.net.ssl.SNIHostName.checkHostName(SNIHostName.java:314)
	at java.base/javax.net.ssl.SNIHostName.<init>(SNIHostName.java:108)
	at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:190)
	... 20 more
Comments
Fix Request (OpenJDK 8u): We've had reports that this issue now occurs with OpenJDK 8u272[1]. It's also in Oracle JDK 8u261. It appears JDK-8160768 which got included with 8u272 makes this issue appear. The patch applies clean after unshuffeling. Seems low risk. Tested with test/com/sun/jndi test/javax/naming/ and noted no regressions. [1] https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-October/012887.html
30-10-2020
jdk11 backport request I would like to have the patch in openjdk11 as well, for better parity with 11.0.8_oracle. The patch applies cleanly.
03-06-2020