Problem Description
One of our applications running on WLS 11.1.1.6 was making a call out to another application (in the cloud) which was using a wildcard certificate, however it was not working. They were getting SSL Handshake errors.
Observed Errors in WLS .log file after enabling SSL Debug
Error 1:
####<Jan 12, 2017 7:55:28 PM GMT> <Debug> <SecuritySSL> <hostname> <managedWlsServer> <[ACTIVE] ExecuteThread: ’24’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <005HUgPGK1l3r2^5xVL6iW00072p001rau> <1484250928162> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: ’24’ for queue: ‘weblogic.kernel.Default (self-tuning)’,5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: Exception occurred during SSLEngine.unwrap(ByteBuffer,ByteBuffer[]).
javax.net.ssl.SSLException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1467)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1435)
Error 2:
####<Jan 12, 2017 7:57:22 PM GMT> <Debug> <SecuritySSL> <hostname> <managedWlsServer> <ExecuteThread: ‘0’ for queue: ‘weblogic.socket.Muxer’> <<WLS Kernel>> <> <> <1484251042205> <BEA-000000> <Exception processing certificates: peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at weblogic.servlet.internal.VirtualConnection.initSSLAttributes(VirtualConnection.java:176)
at weblogic.servlet.internal.VirtualConnection.init(VirtualConnection.java:78)
Documents found on the net
https://blogs.oracle.com/sravansarraju/entry/wildcard_ssl_certificate_support_in
http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#SECMG576 (search for wildcard or wildcard character)
Possible Solution
- Go to WLS Admin Console.
- Go to Environment -> Servers on the menu to the left.
- Click on the managed server.
- Click on the SSL tab at the top.
- Take a Lock & Edit.
- Click on Advanced.
- Change Hostname Verification to “Custom Hostname Verifier”
- In “Custom Hostname Verifier” text field put in “weblogic.security.utils.SSLWLSWildcardHostnameVerifier”
- Example:

- Save and activate the changes.
- Restart the WLS instance.
*Note: We already have JSSE enabled, not sure if this makes any difference.
**Note: Thank you to the blog and doc above that I found on the internet for the info. I am only posting this in case I run into it again or if someone else does that maybe they can find it easier.
*** Note: this did not fix our issues, but I am not ruling out that it didn’t fix the wildcard certificate part.