Merge pull request #4717 from square/jwilson.0314.no_certs

Exercise TLS with no server certificates (3.12.x branch)

okhttp/src/main/java/okhttp3/internal/connection/RealConnection.java

@@ -26,6 +26,7 @@ import java.net.Socket;
 import java.net.SocketException;
 import java.net.SocketTimeoutException;
 import java.net.UnknownServiceException;
+import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.List;
@@ -323,11 +324,18 @@ public final class RealConnection extends Http2Connection.Listener implements Co
 
       // Verify that the socket's certificates are acceptable for the target host.
       if (!address.hostnameVerifier().verify(address.url().host(), sslSocketSession)) {
-        X509Certificate cert = (X509Certificate) unverifiedHandshake.peerCertificates().get(0);
-        throw new SSLPeerUnverifiedException("Hostname " + address.url().host() + " not verified:"
-            + "\n    certificate: " + CertificatePinner.pin(cert)
-            + "\n    DN: " + cert.getSubjectDN().getName()
-            + "\n    subjectAltNames: " + OkHostnameVerifier.allSubjectAltNames(cert));
+        List<Certificate> peerCertificates = unverifiedHandshake.peerCertificates();
+        if (!peerCertificates.isEmpty()) {
+          X509Certificate cert = (X509Certificate) peerCertificates.get(0);
+          throw new SSLPeerUnverifiedException(
+              "Hostname " + address.url().host() + " not verified:"
+                  + "\n    certificate: " + CertificatePinner.pin(cert)
+                  + "\n    DN: " + cert.getSubjectDN().getName()
+                  + "\n    subjectAltNames: " + OkHostnameVerifier.allSubjectAltNames(cert));
+        } else {
+          throw new SSLPeerUnverifiedException(
+              "Hostname " + address.url().host() + " not verified (no certificates)");
+        }
       }
 
       // Check that the certificate pinner is satisfied by the certificates presented.