diff --git a/okhttp/src/main/java/okhttp3/internal/connection/RealConnection.java b/okhttp/src/main/java/okhttp3/internal/connection/RealConnection.java index 25445fac5..cca07e9df 100644 --- a/okhttp/src/main/java/okhttp3/internal/connection/RealConnection.java +++ b/okhttp/src/main/java/okhttp3/internal/connection/RealConnection.java @@ -26,6 +26,7 @@ import java.net.Socket; import java.net.SocketException; import java.net.SocketTimeoutException; import java.net.UnknownServiceException; +import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.List; @@ -323,11 +324,18 @@ public final class RealConnection extends Http2Connection.Listener implements Co // Verify that the socket's certificates are acceptable for the target host. if (!address.hostnameVerifier().verify(address.url().host(), sslSocketSession)) { - X509Certificate cert = (X509Certificate) unverifiedHandshake.peerCertificates().get(0); - throw new SSLPeerUnverifiedException("Hostname " + address.url().host() + " not verified:" - + "\n certificate: " + CertificatePinner.pin(cert) - + "\n DN: " + cert.getSubjectDN().getName() - + "\n subjectAltNames: " + OkHostnameVerifier.allSubjectAltNames(cert)); + List peerCertificates = unverifiedHandshake.peerCertificates(); + if (!peerCertificates.isEmpty()) { + X509Certificate cert = (X509Certificate) peerCertificates.get(0); + throw new SSLPeerUnverifiedException( + "Hostname " + address.url().host() + " not verified:" + + "\n certificate: " + CertificatePinner.pin(cert) + + "\n DN: " + cert.getSubjectDN().getName() + + "\n subjectAltNames: " + OkHostnameVerifier.allSubjectAltNames(cert)); + } else { + throw new SSLPeerUnverifiedException( + "Hostname " + address.url().host() + " not verified (no certificates)"); + } } // Check that the certificate pinner is satisfied by the certificates presented.