Uploaded image for project: 'Mojang Web Services'
  1. Mojang Web Services
  2. WEB-26

No subject alternative DNS name matching libraries.minecraft.net found. (Caused by safety-shutdown after "Heartbleed")

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Resolution: Fixed
    • Labels:

      Description

      Short Moderator Note

      According to Kris Jelbring, this should be fixed now:
      https://twitter.com/KrisJelbring/status/453589636154421248

      It seems that the SSL certificate has a wrong CN entry. So I got the following error by downloading the libraries. This happens when I install a new version of Minecraft.

      [18:17:58 WARN]: Couldn't download https://libraries.minecraft.net/tv/twitch/twitch/5.16/twitch-5.16.jar for job 'Version & Libraries'
      javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching libraries.minecraft.net found.
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.7.0_45]
      	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) ~[?:1.7.0_45]
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) ~[?:1.7.0_45]
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) ~[?:1.7.0_45]
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) ~[?:1.7.0_45]
      	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) ~[?:1.7.0_45]
      	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) ~[?:1.7.0_45]
      	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) ~[?:1.7.0_45]
      	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) ~[?:1.7.0_45]
      	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) ~[?:1.7.0_45]
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) ~[?:1.7.0_45]
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) ~[?:1.7.0_45]
      	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) ~[?:1.7.0_45]
      	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:1.7.0_45]
      	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300) ~[?:1.7.0_45]
      	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468) ~[?:1.7.0_45]
      	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338) ~[?:1.7.0_45]
      	at net.minecraft.launcher.updater.download.ChecksummedDownloadable.download(ChecksummedDownloadable.java:49) ~[launcher.jar:?]
      	at net.minecraft.launcher.updater.download.DownloadJob.popAndDownload(DownloadJob.java:108) [launcher.jar:?]
      	at net.minecraft.launcher.updater.download.DownloadJob.access$000(DownloadJob.java:12) [launcher.jar:?]
      	at net.minecraft.launcher.updater.download.DownloadJob$1.run(DownloadJob.java:89) [launcher.jar:?]
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [?:1.7.0_45]
      	at java.util.concurrent.FutureTask.run(FutureTask.java:262) [?:1.7.0_45]
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [?:1.7.0_45]
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [?:1.7.0_45]
      	at java.lang.Thread.run(Thread.java:744) [?:1.7.0_45]
      Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching libraries.minecraft.net found.
      	at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:191) ~[?:1.7.0_45]
      	at sun.security.util.HostnameChecker.match(HostnameChecker.java:93) ~[?:1.7.0_45]
      	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:347) ~[?:1.7.0_45]
      	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:203) ~[?:1.7.0_45]
      	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) ~[?:1.7.0_45]
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) ~[?:1.7.0_45]
      	... 21 more

      After I checked it with openssl you see that the CN of the certificate is wrong. Its a wild card certificate for CN=*.cloudfront.net.

      ~  ᐅ openssl s_client -showcerts -connect libraries.minecraft.net:443
      CONNECTED(00000003)
      depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
      verify error:num=20:unable to get local issuer certificate
      verify return:0
      ---
      Certificate chain
       0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.cloudfront.net
         i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
      -----BEGIN CERTIFICATE-----
      MIIGsTCCBZmgAwIBAgIQD3aZ/8AYbg5kEQOwpDBnhjANBgkqhkiG9w0BAQUFADBm
      MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
      d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
      ZSBDQS0zMB4XDTEzMDQxNzAwMDAwMFoXDTE2MDQyMTEyMDAwMFowaTELMAkGA1UE
      BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxGDAW
      BgNVBAoTD0FtYXpvbi5jb20gSW5jLjEZMBcGA1UEAwwQKi5jbG91ZGZyb250Lm5l
      dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKb1125lfd8G3ZoRgK0j
      cxG9zDNIJ+Z3pOzvM8D50/mqJGWDYcVAgIMd1AeH7pPsajP0hZ1neIM/o3WIccnW
      0UqdCtEunhd9MfYP4tpDedlTaIbvsimcmBJXhtN4FW1piZxQZaD3DutIDtYCIvPY
      pUV35N+G7LW29sn0fQll7PdFGmXarCv2fDnWaW7Dxx8H7QzUJuVtRik/rCpz3sJ3
      SlXv7pK0Q53M+J4ppjaMLtJjART/e4z+jQRIB7aJEKW9SWWLGO3FrKI9GeuEOBUj
      QI2IBWj9SdZA7VgDmTmwF2PJAyn9arcz8cohNOYVQ4j+bYZBx+PFmrkUNSRck8A5
      7RMCAwEAAaOCA1YwggNSMB8GA1UdIwQYMBaAFFDqc4nbKfsQj57lASDU3nmZSIP3
      MB0GA1UdDgQWBBR7a4/6zhj/TkLauUAHPus+IPbiPTArBgNVHREEJDAighAqLmNs
      b3VkZnJvbnQubmV0gg5jbG91ZGZyb250Lm5ldDAOBgNVHQ8BAf8EBAMCBaAwHQYD
      VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0
      dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9jYTMtZzIwLmNybDAqoCigJoYkaHR0cDov
      L2NybDQuZGlnaWNlcnQuY29tL2NhMy1nMjAuY3JsMIIBxAYDVR0gBIIBuzCCAbcw
      ggGzBglghkgBhv1sAQEwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2lj
      ZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFW
      HoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBm
      AGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0
      AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAv
      AEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0
      AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAg
      AGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBw
      AG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBu
      AGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au
      ZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2Vy
      dC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIw
      ADANBgkqhkiG9w0BAQUFAAOCAQEAfyuj+zKRlS6e34v6GZMtGh0pPcW3UIMXDEYS
      rDndF03AVOXGlTWm0n1g2K5tLXAtMnRMMDOLqsO6FcXU/K9bXQW7/OUZiWK/iq/W
      Tsp0g+O+kg7oSXyK4QIkJNYDxUhVwfMJNLfSOvA3oSasdOLSZqn8giBJIoWS081W
      zy20f6i2jYRcX8LYKpdmMqgSUQm9tXwJ0lHhXCF8oKc1AKYuv9nva+e+4tJLhyhu
      49oUVgC3n1O9k1Av/7Yifw9fCs5Owjv3Ys77aBtuFajgF61goDp9PbOqOwk5m09r
      HcpzPDRiltlQ7gwWbOsdZMAY4kA+UqfeOBXzUqIaKhCxBgnikQ==
      -----END CERTIFICATE-----
       1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
         i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
      -----BEGIN CERTIFICATE-----
      MIIGWDCCBUCgAwIBAgIQCl8RTQNbF5EX0u/UA4w/OzANBgkqhkiG9w0BAQUFADBs
      MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
      d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
      ZSBFViBSb290IENBMB4XDTA4MDQwMjEyMDAwMFoXDTIyMDQwMzAwMDAwMFowZjEL
      MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
      LmRpZ2ljZXJ0LmNvbTElMCMGA1UEAxMcRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
      Q0EtMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9hCikQH17+NDdR
      CPge+yLtYb4LDXBMUGMmdRW5QYiXtvCgFbsIYOBC6AUpEIc2iihlqO8xB3RtNpcv
      KEZmBMcqeSZ6mdWOw21PoF6tvD2Rwll7XjZswFPPAAgyPhBkWBATaccM7pxCUQD5
      BUTuJM56H+2MEb0SqPMV9Bx6MWkBG6fmXcCabH4JnudSREoQOiPkm7YDr6ictFuf
      1EutkozOtREqqjcYjbTCuNhcBoz4/yO9NV7UfD5+gw6RlgWYw7If48hl66l7XaAs
      zPw82W3tzPpLQ4zJ1LilYRyyQLYoEt+5+F/+07LJ7z20Hkt8HEyZNp496+ynaF4d
      32duXvsCAwEAAaOCAvowggL2MA4GA1UdDwEB/wQEAwIBhjCCAcYGA1UdIASCAb0w
      ggG5MIIBtQYLYIZIAYb9bAEDAAIwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3
      LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUH
      AgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQBy
      AHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBj
      AGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAg
      AEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQ
      AGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBt
      AGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBj
      AG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBl
      AHIAZQBuAGMAZQAuMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYIKwYBBQUHAQEEKDAm
      MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgY8GA1UdHwSB
      hzCBhDBAoD6gPIY6aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0SGln
      aEFzc3VyYW5jZUVWUm9vdENBLmNybDBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNl
      cnQuY29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDAfBgNVHSME
      GDAWgBSxPsNpA/i/RwHUmCYaCALvY2QrwzAdBgNVHQ4EFgQUUOpzidsp+xCPnuUB
      INTeeZlIg/cwDQYJKoZIhvcNAQEFBQADggEBAB7ipUiebNtTOA/vphoqrOIDQ+2a
      vD6OdRvw/S4iWawTwGHi5/rpmc2HCXVUKL9GYNy+USyS8xuRfDEIcOI3ucFbqL2j
      CwD7GhX9A61YasXHJJlIR0YxHpLvtF9ONMeQvzHB+LGEhtCcAarfilYGzjrpDq6X
      dF3XcZpCdF/ejUN83ulV7WkAywXgemFhM9EZTfkI7qA5xSU1tyvED7Ld8aW3DiTE
      JiiNeXf1L/BXunwH1OH8zVowV36GEEfdMR/X/KLCvzB8XSSq6PmuX2p0ws5rs0bY
      Ib4p1I5eFdZCSucyb6Sxa1GDWL4/bcf72gMhy2oWGU4K8K2Eyl2Us1p292E=
      -----END CERTIFICATE-----
      ---
      Server certificate
      subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.cloudfront.net
      issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
      ---
      No client certificate CA names sent
      ---
      SSL handshake has read 3501 bytes and written 440 bytes
      ---
      New, TLSv1/SSLv3, Cipher is RC4-MD5
      Server public key is 2048 bit
      Secure Renegotiation IS supported
      Compression: NONE
      Expansion: NONE
      SSL-Session:
          Protocol  : TLSv1
          Cipher    : RC4-MD5
          Session-ID: A2B04D7C717B05547E18132F2CA6818934991A9F8D5A14DDF03753F5DB8E37D1
          Session-ID-ctx:
          Master-Key: B6BBAA4367D9F1DD528AA67022A035C28B6AF10FC1EEB1D12226D3C25511A66CC52ECD3D6A6F32158E559F837E8C9FFB
          Key-Arg   : None
          Start Time: 1396975068
          Timeout   : 300 (sec)
          Verify return code: 0 (ok)
      ---
      closed

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mojangweb [Mojang] Web Team
              Reporter:
              madcad Torsten Walluhn
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: