IS Team, It looks like the TLSProtocolSocketFactory isn't honouring the HostName verification parameter. It always tries to do the hostname verification. Looks like a buggy behaviour to me.
This causes problems for API Manager and any other product which has a distributed deployment (App Manager, DAS, etc) because it prevents http clients within our code from accessing Admin Services of remote nodes. The http clients fail since the server cert is by default for localhost and whenever we try to access through IPs it fails. The only way to overcome this is to create the proper certs and deploy on the server. Which is a huge hassle for simple test scenarios. The TLSProtocolSocketFactory is being set when the SAMLBearerGrant is being initialized. Until then things work fine. We either have to stop it being set or use a version of opensaml which supports skipping the host name verification (like our transports allow). Otherwise this is going to be a huge blocker for our releases. Thanks, NuwanD. On Thu, Mar 17, 2016 at 7:09 PM, Sam Sivayogam <[email protected]> wrote: > HI All, > > Had a offline chat with Pulasthi and got to know that in IS 5.0.8 there > was opensaml upgrade from 2.4.1 to 2.6.4. After going through [1] got to > know that there is a hostname verification introduced in opensaml 2.6.4 > which is not there in opensaml 2.4.1 and this is why we are getting the > above issue after moving to carbon identity 5.0.8. > > We are using *CommonsHTTPTransportSender * to call key manager internally > and from what I understood if we set the *HostnameVerifier *parameter to > *AllowAll > *we should be able to get rid of this issue, But still we are getting > this issue. Does anyone know why HostnameVerifier prameter is not working > as expected with CommonsHTTPTransportSender ? > > [1] > http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.servicemix.bundles/org.apache.servicemix.bundles.opensaml/2.4.1_2/org/opensaml/ws/soap/client/http/TLSProtocolSocketFactory.java/?v=diff&id2=2.6.4_1 > > Thanks, > > On Thu, Mar 17, 2016 at 11:12 AM, Sam Sivayogam <[email protected]> wrote: > >> Hi All, >> >> I'm trying to to upgrade APIM's Crabon kernel to 4.4.4. during the kernel >> upgrade i also upgraded the following >> carbon identity from 5.0.7 to 5.08 >> carbon commons from 4.4.8 to 4.5.2 >> wso2 rampart from 1.6.1-wso2v16 to 1.6.1-wso2v18 >> >> After the upgrade, when I try to generate a key from the API Store I'm >> getting the error [1] . I was able to get rid of this issue after replacing >> APIKeyValidator ip with localhost in api-manager.xml. >> Please note that this issue is occuring after the kernel upgrade before >> that we didn't encounter this issue. what i would like to know to know is >> there is any changes in kernel 4.4.4 or rampart 1.6.1-wso2v18 to do the >> hostname verification by default? >> >> [1] [2016-03-17 11:08:35,995] INFO - HTTPSender Unable to sendViaPost to >> url[https://10.100.5.192:9443//services/APIKeyMgtSubscriberService] >> javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname >> validation for name: 10.100.5.192 >> at >> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) >> at >> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194) >> at >> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) >> at >> org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) >> at >> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) >> at >> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) >> at >> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) >> at >> org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:632) >> at >> org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:195) >> at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:77) >> at >> org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451) >> at >> org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:278) >> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) >> at >> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430) >> at >> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225) >> at >> org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) >> at >> org.wso2.carbon.apimgt.keymgt.stub.subscriber.APIKeyMgtSubscriberServiceStub.retrieveOAuthApplication(APIKeyMgtSubscriberServiceStub.java:1389) >> at >> org.wso2.carbon.apimgt.keymgt.client.SubscriberKeyMgtClient.getOAuthApplication(SubscriberKeyMgtClient.java:89) >> at >> org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.retrieveApplication(AMDefaultKeyManagerImpl.java:224) >> at >> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getClientOfApplication(ApiMgtDAO.java:2338) >> at >> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getOAuthApplications(ApiMgtDAO.java:2302) >> at >> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getApplications(ApiMgtDAO.java:4434) >> at >> org.wso2.carbon.apimgt.impl.APIConsumerImpl.getApplications(APIConsumerImpl.java:2813) >> at >> org.wso2.carbon.apimgt.impl.UserAwareAPIConsumer.getApplications(UserAwareAPIConsumer.java:36) >> at >> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.getAllSubscriptions(APIStoreHostObject.java:2416) >> at >> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.jsFunction_getAllSubscriptionsOfApplication(APIStoreHostObject.java:2659) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:601) >> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >> at org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386) >> at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >> at >> org.jaggeryjs.rhino.store.modules.subscription.c1._c_anonymous_2(/store/modules/subscription/list.jag:31) >> at >> org.jaggeryjs.rhino.store.modules.subscription.c1.call(/store/modules/subscription/list.jag) >> at >> org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430) >> at org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269) >> at org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:97) >> at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >> at >> org.jaggeryjs.rhino.store.modules.subscription.c0._c_anonymous_5(/store/modules/subscription/module.jag:19) >> >> Thanks, >> Sam >> -- >> *Sam Sivayogam* >> >> Software Engineer >> Mobile : +94 772 906 439 >> Office : +94 112 145 345 >> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >> lean.enterprise.middleware. >> > > > > -- > *Sam Sivayogam* > > Software Engineer > Mobile : +94 772 906 439 > Office : +94 112 145 345 > *WSO2, Inc. :** wso2.com <http://wso2.com/>* > lean.enterprise.middleware. > -- Nuwan Dias Technical Lead - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
