Java – How to bypass SSLProtocolException: handshake alert: unrecognized_name

With the release of Java SE 7 the Server Name Indication (SNI) extension was introduced as a default in the JSSE client. This enables TLS clients to connect to virtual servers (SNI is explained in RFC 4366 and I am not going to go into the specifics).

Since the “uprising” of SSL I have come across many B2B sites (including financial institutions) where their Ops department could not figure out how to properly configure SSL and it is very common to receive the following error:

Although changing SSL configuration is a simple 2 minute fix, hosting providers (I am looking at you Afrihost and MWeb) are just not capable of resolving this for their clients. This leaves then only two options:

  1. Reject the integration due to SSL errors
  2. Find a Java “workaround”

In Java there are really just two options to “fix” this:

Disable SNI across the JVM

This is a quick fix if you can not change code and will affect the entire JVM. Just pass “-Djsse.enableSNIExtension=false” into the JVM to disable the JSSE SNI extension entirely.

Disable on connection level

If you have access to the URLConnection, this is super simple: We will use our own Hostnameverifier:

The custom-class:

The above solution is a really elegant way of allowing to skip the SNI negotiation in “trusted” cases where you are not able to convince the source-system to properly configure SSL.

 

Print Friendly, PDF & Email