Hostname validation error message can be unclear if SAN fails but CN matches hostname

As reported on the mailing list, the error message can be very confusing if the hostname matches the certificate CN but not the SAN.

On Apr 23, 2017, at 4:42 PM, Joe Gresock <jgresock@gmail.com> wrote:

Just to follow up – apparently if the Subject Alternate Name is set
incorrectly, it will result in this error. Apparently the CN is ignored if
the SAN is set on the cert.

On Sat, Apr 22, 2017 at 12:08 PM, Joe Gresock <jgresock@gmail.com> wrote:

I've been banging my head against the wall on this one.. is there a good
way to further debug this RPG error? The hostname clearly matches the
certificate CN.

2017-04-22 12:04:35,932 WARN [Remote Process Group 68ed2275-894d-3d75-b457-9d28a1b680e0:
https://ip-172-31-33-37.ec2.internal:8443/nifi Thread-1] o.a.n.remote.StandardRemoteProcessGroup
Unable to connect to RemoteProcessGroup[https://ip-
172-31-33-37.ec2.internal:8443/nifi] due to javax.net.ssl.SSLPeerUnverifiedException:
Host name 'ip-172-31-33-37.ec2.internal' does not match the certificate
subject provided by the peer (CN=ip-172-31-33-37.ec2.internal, OU=LZ,
O=LZS, L=Jessup, ST=Maryland, C=US)

The exception thrown by the code under discussion should differentiate between the reasons the verification failed so a more helpful error message can be displayed to the user/in the logs.

See RFC 2818 for more information.