OK, I think I’ve found the solution to this one. Basically it’s a “design choice” made by both Apache and Java >= 1.7.
The issue is that Java always sends an SNI name request (which is good since IP addresses are in short supply). If you have an apache server that’s only serving one site (or, like ours, where each site has a unique IP) and you don’t specify a ServerName directive, apache will respond using the local host name (if defined) or the IP of the connection. Apache also sends a warning that the names don’t match (which is against the advice in the spec). Java sees that warning and turns it into a fatal error, so the connection is aborted.
The solution is simply to add a ServerName directive that matches the SSL certificate’s CN (add ServerAlias’s too if needed).
For a fuller discussion of this issue, see http://stackoverflow.com/questions/7615645/ssl-handshake-alert-unrecognized-name-error-since-upgrade-to-java-1-7-0
Having made this change to the server config, my cards now once again validate correctly.
Thanks for the assistance.
