I am using Play Framework 2.3.8 and I am having trouble making HTTPS requests to certain hosts. In this instance I cannot seem to connect to a Zendesk API host (xxxxx.zendesk.com) using the WS client.
The error I get initially is:
Cannot invoke the action, eventually got an error: java.net.ConnectException: HostnameVerifier exception.
This is strange because the certificate looks file if I view it in the browser or via ssl s_client. The CN entry matches the domain.
If I disable hostname verification, I get an error message from Cloudflare with the message "Forbidden". It is in HTML, rather than JSON which is not what I expect.
Then I tried to POST the same request with Postman and curl. The request succeeded and I got the response back in JSON.
I then used Charles Web Debugging Proxy to intercept the HTTPS requests from the Play Framework and compare it to the requests sent from Postman. Strangely enough, the requests succeeded if Charles was intercepting the requests! Charles did not shed any light on the certificate issue.
I have seen other people complaining about similar issues with Cloudflare and in their case, it turned out that their client did not support TLS 1.2. I checked and I was running version 1.8 of the JVM which supports TLS 1.2 default and even tried forcing TLS 1.2 using a config variable just in case and that didn't help.
I figure that there is some issue with SSL in the version of Play Framework I am using.
Finally I tried Wireshark as a last resort to try and determine the differences between requests sent from my other clients (curl/Postman) and from the Play Framework WS client.
I noticed that the working clients sent the domain name as part of the handshake. It then clicked that it might be an SNI issue.
Sure enough, Play Framework 2.3.x does not support SNI.
The only two real options were to use a separate HTTP client like play-ws or to update my version of Play Framework to 2.4.x.
I chose the latter and now it is working.
The hostname verification issue was actually a red herring and related to the lack of support for SNI. I was able to reenable it without issue.
I hope this helps someone with the same issue!