Unexpected error SSLPeerUnverifiedException when upgrading from 12.1.0 to 12.1.1 #7632

irineu-rassytem · 2025-05-06T18:06:15Z

Hello,

I'm using an NVD cache hosted on AWS S3, for this we use vulnz and we are currently on version vulnz-8.1.1.jar and we are using dependency-check-maven version 12.1.0
With this combination everything is working perfectly.

Today, I tried to update dependency-check-maven to version 12.1.1 and when I did that, our build stopped working and started spitting out the following error:

[ERROR] UpdateException: Unable to download the data feed META files
[ERROR] caused by DownloadFailedException: Download failed, error downloading 'https://s3.amazonaws.com/xxxxxxxxxx/cache.properties'; Certificate for <s3.amazonaws.com> doesn't match any of the subject alternative names: [s3.amazonaws.com, *.s3.amazonaws.com, *.s3.dualstack.us-east-1.amazonaws.com, s3.dualstack.us-east-1.amazonaws.com, *.s3.us-east-1.amazonaws.com, s3.us-east-1.amazonaws.com, *.s3-control.us-east-1.amazonaws.com, s3-control.us-east-1.amazonaws.com, *.s3-control.dualstack.us-east-1.amazonaws.com, s3-control.dualstack.us-east-1.amazonaws.com, *.s3-accesspoint.us-east-1.amazonaws.com, *.s3-accesspoint.dualstack.us-east-1.amazonaws.com, *.s3-deprecated.us-east-1.amazonaws.com, s3-deprecated.us-east-1.amazonaws.com, s3-external-1.amazonaws.com, *.s3-external-1.amazonaws.com, s3-external-2.amazonaws.com, *.s3-external-2.amazonaws.com]
[ERROR] caused by SSLPeerUnverifiedException: Certificate for <s3.amazonaws.com> doesn't match any of the subject alternative names: [s3.amazonaws.com, *.s3.amazonaws.com, *.s3.dualstack.us-east-1.amazonaws.com, s3.dualstack.us-east-1.amazonaws.com, *.s3.us-east-1.amazonaws.com, s3.us-east-1.amazonaws.com, *.s3-control.us-east-1.amazonaws.com, s3-control.us-east-1.amazonaws.com, *.s3-control.dualstack.us-east-1.amazonaws.com, s3-control.dualstack.us-east-1.amazonaws.com, *.s3-accesspoint.us-east-1.amazonaws.com, *.s3-accesspoint.dualstack.us-east-1.amazonaws.com, *.s3-deprecated.us-east-1.amazonaws.com, s3-deprecated.us-east-1.amazonaws.com, s3-external-1.amazonaws.com, *.s3-external-1.amazonaws.com, s3-external-2.amazonaws.com, *.s3-external-2.amazonaws.com]
[ERROR] NoDataException: No documents exist

If I go back to version 12.1.0, everything works again.

How can I solve this problem?
Is there a bug in version 12.1.1?

aikebah · 2025-05-07T19:13:11Z

That would be https://issues.apache.org/jira/browse/HTTPCLIENT-2365, maybe best to stay at 12.1.0 for now in your case.

Next release of DependencyCheck should resolve it by way of an Apache HTTPClient library version update.

As an alternative you could try and see if forcing httpclient5 to version 5.4.4 by explicitly adding it as a plugin dependency would make it work for you with 12.1.1

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    ...
    <dependencies>
        <dependency>
            <groupId>org.apache.httpcomponents.client5</groupId>
            <artifactId>httpclient5</artifactId>
            <version>5.4.4</version>
        </dependency>                    
    </dependencies>
</plugin>

irineu-rassytem added the bug label May 6, 2025

aikebah added this to the 12.1.2 milestone May 7, 2025

aikebah linked a pull request May 10, 2025 that will close this issue

build(deps): bump org.apache.httpcomponents.client5:httpclient5 from 5.4.3 to 5.4.4 #7617

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unexpected error SSLPeerUnverifiedException when upgrading from 12.1.0 to 12.1.1 #7632

Unexpected error SSLPeerUnverifiedException when upgrading from 12.1.0 to 12.1.1 #7632

irineu-rassytem commented May 6, 2025

aikebah commented May 7, 2025

Unexpected error SSLPeerUnverifiedException when upgrading from 12.1.0 to 12.1.1 #7632

Unexpected error SSLPeerUnverifiedException when upgrading from 12.1.0 to 12.1.1 #7632

Comments

irineu-rassytem commented May 6, 2025

aikebah commented May 7, 2025