Hi Aparna,

This can happen when the client does not send the SNI[1][2] to the server
side to select the proper HTTPS virtual host. In this case NGINX reverse
proxy created in the vhost. Most of the modern browsers send SNI to server,
therefore you will not observe this when you make the request via a modern
browser.

Most of the new Java HTTP client libraries also support SNI. As an example,
Apache httpclient library support SNI from version 4.3.2 [3]. If you use a
library which does not support SNI, you will get this error for HTTPS call
going towards services hosted in virtual host environments.

[1] https://en.wikipedia.org/wiki/Server_Name_Indication
[2] https://www.ietf.org/rfc/rfc3546.txt
[3] https://hc.apache.org/news.html

On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna <[email protected]>
wrote:

> Hi all,
>
> I have encountered a weird "hostname in certificate didn't match:" issue
> when accessing IS dashboard. My setup details are as follows.
>
> *Setup Details*
> *IS cluster*
> - 3 nodes cluster
> - Hostname - mgt.is.wso2.com
> - Certificate CN - mgt.is.wso2.com
>
> *BPS cluster*
> - 2 nodes cluster (manager/worker)
> - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com
> - Certificate CN - *.bps.wso2.com
>
> * Both nodes are fronted by same Nginx plus load balancer.
>
> [1]
> javax.net.ssl.SSLException: hostname in certificate didn't match: <
> mgt.is.wso2.com> != <*.bps.wso2.com>
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238)
> at
> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
> ....
>         ....
>
> When we check the browser cookie, it gave correct certificate. (
> mgt.is.wso2.com), but when we check it from java client[2] it gives the
> bps certificate (*.bps.wso2.com) instead of IS.
>
> [2]
> https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/
>
> What is the reason for this? Is it my config issue or Nginx issue or our
> product issue?
>
> --
> *Regards,*
>
> *Aparna Karunarathna.*
>
>
> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>*
>



-- 
Deependra Ariyadewa
WSO2, Inc. http://wso2.com/ http://wso2.org

email [email protected]; cell +94 71 403 5996 ;
Blog http://risenfall.wordpress.com/
PGP info: KeyID: 'DC627E6F'

*WSO2 - Lean . Enterprise . Middleware*
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to