Hi Kasun/Isuru, Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to newer version?
@Deep, Thanks for the clarification. Regards, Aparna On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa <[email protected]> wrote: > Hi Aparna, > > This can happen when the client does not send the SNI[1][2] to the server > side to select the proper HTTPS virtual host. In this case NGINX reverse > proxy created in the vhost. Most of the modern browsers send SNI to server, > therefore you will not observe this when you make the request via a modern > browser. > > Most of the new Java HTTP client libraries also support SNI. As an > example, Apache httpclient library support SNI from version 4.3.2 [3]. If > you use a library which does not support SNI, you will get this error for > HTTPS call going towards services hosted in virtual host environments. > > [1] https://en.wikipedia.org/wiki/Server_Name_Indication > [2] https://www.ietf.org/rfc/rfc3546.txt > [3] https://hc.apache.org/news.html > > On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna <[email protected]> > wrote: > >> Hi all, >> >> I have encountered a weird "hostname in certificate didn't match:" issue >> when accessing IS dashboard. My setup details are as follows. >> >> *Setup Details* >> *IS cluster* >> - 3 nodes cluster >> - Hostname - mgt.is.wso2.com >> - Certificate CN - mgt.is.wso2.com >> >> *BPS cluster* >> - 2 nodes cluster (manager/worker) >> - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com >> - Certificate CN - *.bps.wso2.com >> >> * Both nodes are fronted by same Nginx plus load balancer. >> >> [1] >> javax.net.ssl.SSLException: hostname in certificate didn't match: < >> mgt.is.wso2.com> != <*.bps.wso2.com> >> at >> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) >> at >> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) >> .... >> .... >> >> When we check the browser cookie, it gave correct certificate. ( >> mgt.is.wso2.com), but when we check it from java client[2] it gives the >> bps certificate (*.bps.wso2.com) instead of IS. >> >> [2] >> https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/ >> >> What is the reason for this? Is it my config issue or Nginx issue or our >> product issue? >> >> -- >> *Regards,* >> >> *Aparna Karunarathna.* >> >> >> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* >> > > > > -- > Deependra Ariyadewa > WSO2, Inc. http://wso2.com/ http://wso2.org > > email [email protected]; cell +94 71 403 5996 ; > Blog http://risenfall.wordpress.com/ > PGP info: KeyID: 'DC627E6F' > > *WSO2 - Lean . Enterprise . Middleware* > -- *Regards,* *Aparna Karunarathna.* *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
