java.security.cert.CertificateException: Failed to validate the server name in a certificate during Secure Sockets Layer (SSL) initialization.

Question

java.security.cert.CertificateException: Failed to validate the server name in a certificate during Secure Sockets Layer (SSL) initialization.

Andy Nugent 6

I have a Java web app using mssql-jdbc v10.2.0.jre8 (https://mvnrepository.com/artifact/com.microsoft.sqlserver/mssql-jdbc/10.2.0.jre8) and we are occasionally seeing the following error:

java.security.cert.CertificateException: Failed to validate the server name ".xxx.yyyyyy.uksouth1-a.worker.database.windows.net"in a certificate during Secure Sockets Layer (SSL) initialization. Name in certificate ".sql.azuresynapse-dogfood.net"

I've found numerous issues from around 2017 / 2018 with (much) older versions of mssql-jdbc having this issue, but nothing reported for the version we're using.

We're using the JDBC connection string supplied by the Azure Portal,

jdbc:sqlserver://....database.windows.net:1433;database=...;user=...;password=...;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;

Which according to https://learn.microsoft.com/en-us/sql/connect/jdbc/connecting-with-ssl-encryption?view=sql-server-ver16 can cause the error we're seeing:

If the encrypt property is true and the trustServerCertificate property is false and if the server name in the connection string doesn't match the server name in the TLS certificate, the following error will be issued: The driver couldn't establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "java.security.cert.CertificateException: Failed to validate the server name in a certificate during Secure Sockets Layer (SSL) initialization.". With version 7.2 and up, the driver supports wildcard pattern matching in the left-most label of the server name in the TLS certificate.

We're reluctant to loosen the security settings recommended by Azure

Is this a known issue and is there a recommended workaround?

Sreejesh PV 20 Reputation points

2023-11-01T07:17:47.61+00:00

Hi @Andy Nugent , I am also facing the same issue and it is after migrating from jdk 8 to jdk 21. did you find any solutions to fix this ?

1 answer

Your answer

Sreejesh PV 20 Reputation points

2023-11-01T07:17:47.61+00:00

Hi @Andy Nugent , I am also facing the same issue and it is after migrating from jdk 8 to jdk 21. did you find any solutions to fix this ?

Answer 1

GeethaThatipatri-MSFT 29,542 Microsoft Employee Moderator

Hi, @Andy Nugent Welcome to the Microsoft Q&A platform, and thanks for using Azure Services.
As we understand you are seeing Java.security.cert issue occasionally and thanks for sharing the error screenshot and connection string used.

Can you please confirm your Jdbc drivers version and for HostnameInCertificate - > this should not be used as long as this is the same as the server name (the one we are connecting to)
Therefore you can remove this piece from the connection string and give it a try.

Please let me know if this helps.

Regards
Geetha

Andy Nugent 1 Reputation point

2022-09-26T13:22:03.94+00:00

We'll do that, but we were following the recommended connection string from the Azure Portal (SQL Databases | <database> | Connection strings). Are they incorrect then? I'm surprised more people aren't have this issue in that case.
GeethaThatipatri-MSFT 29,542 Reputation points Microsoft Employee Moderator

2022-09-26T23:29:58.933+00:00

@Andy Nugent Kindly refer to this article. Connecting with encryption - JDBC Driver for SQL Server | Microsoft Learn
If the encrypt property is true and the trustServerCertificate property is false and if the server name in the connection string doesn't match the server name in the TLS certificate, the following error will be issued: The driver couldn't establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "java.security.cert.CertificateException: Failed to validate the server name in a certificate during Secure Sockets Layer (SSL) initialization."

Regards
Geetha
Andy Nugent 1 Reputation point

2022-09-27T10:07:14.133+00:00

Sorry, you're missing my point. I'm happy to make the changes you recommend but this issue came about because we used the (incorrect) connection strings as specified in the Azure Portal. Is that not a bug in the Azure Portal that needs correcting? And if so, will you raise it internally or should I raise a seperate issue with them?
GeethaThatipatri-MSFT 29,542 Reputation points Microsoft Employee Moderator

2022-09-27T14:15:05.257+00:00

@Andy Nugent If you observe this hostNameInCertificate=*.database.windows.net, you are using start in the connection string instead of hostname, The one using from the Azure portal is correct But if you specify star , then it won't work

Regards
Geetha
GeethaThatipatri-MSFT 29,542 Reputation points Microsoft Employee Moderator

2022-10-07T20:19:31.18+00:00

@Andy Nugent We haven't heard back from you. if you are still looking for any additional information please let us know.

if you find the above reply useful. If yes, do click on the 'Mark as answer' link in the above reply. This will help other community members facing similar queries to refer to this solution.

Regards
Geetha

Share via

java.security.cert.CertificateException: Failed to validate the server name in a certificate during Secure Sockets Layer (SSL) initialization.

1 answer

Your answer