On Tue, Aug 15, 2017 at 8:22 PM, Farasath Ahamed <[email protected]> wrote:
> Tested with Kernel 4.4.16, -Dhttpclient.hostnameVerifier=AllowAll > parameter is honoured and worked fine. > I had an offline discussion with Chandana and Thusitha and go to know that *-Dhttpclient.hostnameVerifier=AllowAll* is not supported in kernel as of now (upto 4.4.16) and will be supported in 4.4.17. Therefore my earlier conclusion saying that kernel 4.4.16 parameter is honoured is incorrect. But our documentation says that we support this from 4.4.11 which need to be corrected immediately :) But going throught the startup script we do have a parameter *-Dorg.wso2.ignoreHostnameVerification=true* in kernel 4.4.16. Did a quick search and this parameter was used in Kernel 4.4.6 to disable hostname verification. Therefore I think that is how I was able to get my scenario working with a hostname without changing certs (ie. turn off hostname verification). But even though we have the necessary fixes to support *-Dhttpclient.hostnameVerifier=AllowAll *in kernel 4.4.17 with commons-httpclient_3.1.0.wso2v6 orbit it doesn't seem to honour the *-Dhttpclient.hostnameVerifier *parameter. I did a quick debug with commons-httpclient_3.1.0.wso2v6 and the method to verify hostname[1] was never hit :( [1] https://github.com/wso2/wso2-commons-httpclient/blob/v3.1.0-wso2v6/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java#L286 > > Farasath Ahamed > Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > On Tue, Aug 15, 2017 at 7:58 PM, Harsha Thirimanna <[email protected]> > wrote: > >> >> >> On 15 Aug 2017 7:43 pm, "Farasath Ahamed" <[email protected]> wrote: >> >> Tried to do $subject following [1] on a IS 5.4.0-SNAPSHOT pack with >> kernel 4.4.17-SNAPSHOT. I still see hostname validation errors after >> running the server with, >> -Dhttpclient.hostnameVerifier=AllowAll >> >> >> You don't get this error with the IS pack with kernal 4.4.16 ? Could you >> please check that Farasath ? >> Then we can isolate this. >> >> >> >> [2017-08-15 19:36:52,561] ERROR >> {org.apache.catalina.core.StandardWrapperValve} >> - Servlet.service() for servlet [default] in context with path >> [/authenticationendpoint] threw exception >> java.io.IOException: javax.net.ssl.SSLHandshakeException: >> java.security.cert.CertificateException: No name matching idp.wso2.com >> found >> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >> etWrapper.java:467) >> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServl >> et.java:395) >> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:303) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:208) >> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:241) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:208) >> at org.apache.catalina.core.ApplicationDispatcher.invoke(Applic >> ationDispatcher.java:743) >> at org.apache.catalina.core.ApplicationDispatcher.processReques >> t(ApplicationDispatcher.java:485) >> at org.apache.catalina.core.ApplicationDispatcher.doForward(App >> licationDispatcher.java:410) >> at org.apache.catalina.core.ApplicationDispatcher.forward(Appli >> cationDispatcher.java:337) >> at org.wso2.carbon.identity.application.authentication.endpoint >> .util.filter.AuthenticationEndpointFilter.doFilter(Authentic >> ationEndpointFilter.java:161) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:241) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:208) >> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte >> r(HttpHeaderSecurityFilter.java:124) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:241) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:208) >> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >> dWrapperValve.java:218) >> at org.apache.catalina.core.StandardContextValve.invoke(Standar >> dContextValve.java:110) >> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A >> uthenticatorBase.java:506) >> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >> stValve.java:169) >> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >> rtValve.java:103) >> at org.wso2.carbon.identity.context.rewrite.valve.TenantContext >> RewriteValve.invoke(TenantContextRewriteValve.java:80) >> at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invo >> ke(AuthorizationValve.java:91) >> at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invo >> ke(AuthenticationValve.java:60) >> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInv >> ocation(CompositeValve.java:99) >> at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke >> (CarbonTomcatValve.java:47) >> at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(Tena >> ntLazyLoaderValve.java:57) >> at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invok >> eValves(TomcatValveContainer.java:47) >> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(Comp >> ositeValve.java:62) >> at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetection >> Valve.invoke(CarbonStuckThreadDetectionValve.java:159) >> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogVa >> lve.java:962) >> at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve. >> invoke(CarbonContextCreatorValve.java:57) >> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >> EngineValve.java:116) >> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >> apter.java:445) >> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs >> tractHttp11Processor.java:1115) >> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler >> .process(AbstractProtocol.java:637) >> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >> (NioEndpoint.java:1770) >> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(N >> ioEndpoint.java:1729) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.r >> un(TaskThread.java:61) >> at java.lang.Thread.run(Thread.java:748) >> Caused by: javax.net.ssl.SSLHandshakeException: >> java.security.cert.CertificateException: No name matching idp.wso2.com >> found >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >> ndshaker.java:1514) >> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands >> haker.java:216) >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) >> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo >> cketImpl.java:1375) >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) >> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsCli >> ent.java:559) >> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnectio >> n.connect(AbstractDelegateHttpsURLConnection.java:185) >> at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Ht >> tpsURLConnectionImpl.java:153) >> at org.apache.jsp.login_jsp._jspService(login_jsp.java:777) >> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >> etWrapper.java:439) >> ... 44 more >> Caused by: java.security.cert.CertificateException: No name matching >> idp.wso2.com found >> at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:221) >> at sun.security.util.HostnameChecker.match(HostnameChecker.java:95) >> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >> tManagerImpl.java:455) >> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >> tManagerImpl.java:436) >> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust >> ManagerImpl.java:200) >> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50 >> 9TrustManagerImpl.java:124) >> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >> ndshaker.java:1496) >> ... 58 more >> >> >> Is the information in [1] still valid? >> >> Chandana pointed out there has been a http client version upgrade in >> Kernel 4.4.17. Could this be a reason for this? >> >> >> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName+Verification >> >> >> Thanks, >> Farasath Ahamed >> Software Engineer, WSO2 Inc.; http://wso2.com >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> <http://wso2.com/signature> >> >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> >> >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
