java.security.cert.CertificateException: Failed to validate the server name in a certificate during Secure Sockets Layer (SSL) initialization

[andynugent]

Driver version

10.2.0.jre8

SQL Server version

Microsoft SQL Azure (RTM) - 12.0.2000.8 Sep 3 2022 05:39:53 Copyright (C) 2022 Microsoft Corporation

Client Operating System

Windows 10

JAVA/JVM version

1.8.0_341

Table schema

N/A

Problem description

I have a Java web app using mssql-jdbc v10.2.0.jre8 (https://mvnrepository.com/artifact/com.microsoft.sqlserver/mssql-jdbc/10.2.0.jre8) and we are occasionally seeing the following error:

java.security.cert.CertificateException: Failed to validate the server name ".xxx.yyyyyy.uksouth1-a.worker.database.windows.net"in a certificate during Secure Sockets Layer (SSL) initialization. Name in certificate ".sql.azuresynapse-dogfood.net"

I've found numerous issues from around 2017 / 2018 with (much) older versions of mssql-jdbc having this issue, but nothing reported for the version we're using. e.g.

#623
https://stackoverflow.com/questions/41141100/azure-webjobs-cant-connect-to-sql-using-encrypted-communication#comment130361261_41141100
https://stackoverflow.com/questions/11755951/certificate-exception-connecting-to-azure-sql-with-jdbc-with-default-connection#comment130361244_11755951

We're using the JDBC connection string supplied by the Azure Portal,

jdbc:sqlserver://....database.windows.net:1433;database=...;user=...;password=...;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;

Which according to https://learn.microsoft.com/en-us/sql/connect/jdbc/connecting-with-ssl-encryption?view=sql-server-ver16 can cause the error we're seeing:

If the encrypt property is true and the trustServerCertificate property is false and if the server name in the connection string doesn't match the server name in the TLS certificate, the following error will be issued: The driver couldn't establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "java.security.cert.CertificateException: Failed to validate the server name in a certificate during Secure Sockets Layer (SSL) initialization.". With version 7.2 and up, the driver supports wildcard pattern matching in the left-most label of the server name in the TLS certificate.

We're reluctant to loosen the security settings recommended by Azure.

Expected behavior

The connection to work consistently

Actual behavior

Connection occasionally fails

Error message/stack trace

21-Sep-2022 07:46:40.413 SEVERE [http-nio-169.254.129.2-80-exec-6] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [global-kronos-framework-webapp-servlet] in context with path [] threw exception [org.hibernate.exception.JDBCConnectionException: could not extract ResultSet] with root cause
java.security.cert.CertificateException: Failed to validate the server name ".tr3200.uksouth1-a.worker.database.windows.net"in a certificate during Secure Sockets Layer (SSL) initialization. Name in certificate ".sql.azuresynapse-dogfood.net"
at com.microsoft.sqlserver.jdbc.TDSChannel$HostNameOverrideX509TrustManager.validateServerNameInCertificate(IOBuffer.java:1801)
at com.microsoft.sqlserver.jdbc.TDSChannel$HostNameOverrideX509TrustManager.checkServerTrusted(IOBuffer.java:1710)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1256)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1418)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1324)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:439)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:410)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:2021)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3204)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2833)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:2675)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1640)
at com.microsoft.sqlserver.jdbc.ReconnectThread.run(IdleConnectionResiliency.java:414)

21-Sep-2022 07:46:39.660 WARN [http-nio-169.254.129.2-80-exec-6] org.hibernate.engine.jdbc.spi.SqlExceptionHelper.logExceptions SQL Error: 0, SQLState: 08S01
21-Sep-2022 07:46:39.667 ERROR [http-nio-169.254.129.2-80-exec-6] org.hibernate.engine.jdbc.spi.SqlExceptionHelper.logExceptions The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Failed to validate the server name ".tr3200.uksouth1-a.worker.database.windows.net"in a certificate during Secure Sockets Layer (SSL) initialization. Name in certificate ".sql.azuresynapse-dogfood.net"". ClientConnectionId:40e2f319-3b8c-4f95-8c1c-ebddea746d9a
21-Sep-2022 07:46:39.827 WARNING [http-nio-169.254.129.2-80-exec-6] com.mchange.v2.c3p0.impl.NewPooledConnection. [c3p0] A PooledConnection that has already signalled a Connection error is still in use!
21-Sep-2022 07:46:39.835 WARNING [http-nio-169.254.129.2-80-exec-6] com.mchange.v2.c3p0.impl.NewPooledConnection. [c3p0] Another error has occurred [ com.microsoft.sqlserver.jdbc.SQLServerException: The connection is closed. ] which will not be reported to listeners!
com.microsoft.sqlserver.jdbc.SQLServerException: The connection is closed.
at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:237)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.checkClosed(SQLServerConnection.java:1532)
at com.microsoft.sqlserver.jdbc.SQLServerStatement.checkClosed(SQLServerStatement.java:1101)
at com.microsoft.sqlserver.jdbc.SQLServerStatement.getMaxRows(SQLServerStatement.java:1134)
at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.getMaxRows(NewProxyPreparedStatement.java:2045)
at org.hibernate.resource.jdbc.internal.ResourceRegistryStandardImpl.close(ResourceRegistryStandardImpl.java:186)
at org.hibernate.resource.jdbc.internal.ResourceRegistryStandardImpl.release(ResourceRegistryStandardImpl.java:109)
at org.hibernate.loader.Loader.getResultSet(Loader.java:2327)
at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:2075)
at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:2037)
at org.hibernate.loader.Loader.doQuery(Loader.java:956)
at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:357)
at org.hibernate.loader.Loader.doList(Loader.java:2868)
at org.hibernate.loader.Loader.doList(Loader.java:2850)
at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2682)
at org.hibernate.loader.Loader.list(Loader.java:2677)
at org.hibernate.loader.criteria.CriteriaLoader.list(CriteriaLoader.java:109)
at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1922)
at org.hibernate.internal.CriteriaImpl.list(CriteriaImpl.java:370)
at hvpd.hibernate.HibernateUtils.getUniqueResult(HibernateUtils.java:400)
at hvpd.gkf.api.CurrentUser.getGKFUserImpl(CurrentUser.java:41)
at hvpd.gkf.api.CurrentUser.getGKFUser(CurrentUser.java:56)
at hvpd.gkf.api.CurrentUser.Get(CurrentUser.java:31)
at sun.reflect.GeneratedMethodAccessor214.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234)
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684)
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394)
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:366)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:319)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at com.microsoft.azure.appservice.filters.AppServiceFilter.doFilter(AppServiceFilter.java:59)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at com.microsoft.azure.appservice.EasyAuthFilter.doFilter(EasyAuthFilter.java:42)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:895)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1722)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)

Any other details that can be helpful

Add any other context about the problem here.

JDBC trace logs

Provide the JDBC driver trace logs. Instructions can be found here: https://docs.microsoft.com/sql/connect/jdbc/tracing-driver-operation

[tkyc]

"Failed to validate the server name ".tr3200.uksouth1-a.worker.database.windows.net"in a certificate during Secure Sockets Layer (SSL) initialization. Name in certificate ".sql.azuresynapse-dogfood.net

Hi, could you try removing this connection string property hostNameInCertificate=*.database.windows.net? It's best to let the driver to determine the hostNameInCertificate value. Looks like from the error message, the connection string property is erroneously matching the wrong name when the certificate has the name sql.azuresynapse-dogfood.net.

[andynugent]

I've removed that from the connection string and will let you know how it goes (it's only happened about 10 times in the last 3 months, so we can't tell instantly)

[lilgreenbird]

hi @andynugent

please let us know if you have any more questions otherwise we will be closing this due to inactivity

[lilgreenbird]

closing due to inactivity. Please request to re-open if you have more questions