{ "id": "java/ssl-peer-unverified", "signature": "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated", "signature_zh": "javax.net.ssl.SSLPeerUnverifiedException:对端未认证", "regex": "javax\\.net\\.ssl\\.SSLPeerUnverifiedException: peer not authenticated", "domain": "java", "category": "auth_error", "subcategory": null, "root_cause": "The SSL/TLS handshake completed, but the peer's certificate chain could not be verified against the truststore, meaning the server's identity is not trusted.", "root_cause_type": "generic", "root_cause_zh": "SSL/TLS 握手已完成,但无法根据信任库验证对端的证书链,意味着服务器身份不受信任。", "versions": [ { "version": "Java 8", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Java 11", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Java 17", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Java 21", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "Set `-Djavax.net.ssl.trustStore` to a non-existent file to bypass trust validation.", "why_fails": "This causes a different SSL error: 'java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty', not fixing the peer verification.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "Disable SSL verification entirely by setting `HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true)`.", "why_fails": "This only bypasses hostname verification; the peer certificate chain is still validated against the truststore, so the error persists.", "fail_rate": 0.8, "condition": "", "sources": [] }, { "action": "Use a self-signed certificate but ignore all trust issues by creating a custom TrustManager that trusts all.", "why_fails": "While this works for development, it's a security risk and may violate organizational policies; also, some libraries like Apache HttpClient require explicit configuration.", "fail_rate": 0.6, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Import the server's certificate into the JVM's truststore using keytool: `keytool -import -alias server -keystore $JAVA_HOME/lib/security/cacerts -file server.crt`", "success_rate": 0.9, "how": "Import the server's certificate into the JVM's truststore using keytool: `keytool -import -alias server -keystore $JAVA_HOME/lib/security/cacerts -file server.crt`", "condition": "", "sources": [] }, { "action": "Set the truststore to a custom file containing the server's CA certificate: `-Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit`", "success_rate": 0.85, "how": "Set the truststore to a custom file containing the server's CA certificate: `-Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit`", "condition": "", "sources": [] }, { "action": "If using a client library (e.g., OkHttp), configure the client to use a custom SSLSocketFactory that trusts the specific certificate.", "success_rate": 0.8, "how": "If using a client library (e.g., OkHttp), configure the client to use a custom SSLSocketFactory that trusts the specific certificate.", "condition": "", "sources": [] } ], "workarounds_zh": [ "使用 keytool 将服务器证书导入 JVM 的信任库:`keytool -import -alias server -keystore $JAVA_HOME/lib/security/cacerts -file server.crt`", "将信任库设置为包含服务器 CA 证书的自定义文件:`-Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit`", "如果使用客户端库(例如 OkHttp),配置客户端使用信任特定证书的自定义 SSLSocketFactory。" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLPeerUnverifiedException.html", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.85, "resolvable": "true", "first_seen": "2023-11-15", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }