More detailed logging in case of TLS hostname mismatch

dajudge · dajudge · commit 13a82b03b61a · 2021-06-15T13:52:23.000+02:00
diff --git a/proxybase/src/main/java/com/dajudge/proxybase/HttpClientHostnameCheck.java b/proxybase/src/main/java/com/dajudge/proxybase/HttpClientHostnameCheck.java
@@ -19,14 +19,15 @@
 
 import org.apache.hc.client5.http.ssl.HttpsSupport;
 
-import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSessionContext;
 import java.security.Principal;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 
+import static java.lang.String.format;
+
 class HttpClientHostnameCheck implements HostnameCheck {
     public static final javax.net.ssl.HostnameVerifier VERIFIER = HttpsSupport.getDefaultHostnameVerifier();
     private final String hostname;
@@ -37,9 +38,15 @@ class HttpClientHostnameCheck implements HostnameCheck {
 
     @Override
     public void verify(final X509Certificate cert) throws CertificateException {
-        if (!VERIFIER.verify(hostname, new DummySslSession(cert))) {
-            throw new CertificateException("Certificate does not match hostname: " + hostname);
-        }
+        if (VERIFIER.verify(hostname, new DummySslSession(cert))) {
+            return;
+        }
+        throw new CertificateException(format(
+                "Certificate does not match hostname '%s': DN=%s, SANs=%s ",
+                hostname,
+                cert.getSubjectDN(),
+                cert.getSubjectAlternativeNames()
+        ));
     }
 
     private static class DummySslSession implements SSLSession {
@@ -100,7 +107,7 @@ public String[] getValueNames() {
         }
 
         @Override
-        public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
+        public Certificate[] getPeerCertificates()  {
             return new Certificate[]{certificate};
         }
 
@@ -116,7 +123,7 @@ public javax.security.cert.X509Certificate[] getPeerCertificateChain() {
         }
 
         @Override
-        public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
+        public Principal getPeerPrincipal()  {
             return null;
         }
 
