Hi all, With the latest IS pack built with kernel 4.4.17-SNAPSHOT, we can successfully turn off the hostname verification with *-Dhttpclient.hostnameVerifier=AllowAll*. Need to do some code changes from Identity Server side to make the newly introduced property effective for some components.
Since no improvement is needed from kernel side, can we please go ahead with the kernel 4.4.17 release? *-Dhttpclient.hostnameVerifier *is only applicable since 4.4.17, but our documentation says it's applicable from 4.4.10 ([1]). Better to fix the documentation as well. Reopened [2] since the doc need to be corrected. [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName+Verification [2] https://wso2.org/jira/browse/DOCUMENTATION-4071 thanks Nuwandi On Wed, Aug 16, 2017 at 5:39 PM, Farasath Ahamed <[email protected]> wrote: > > > > On Tue, Aug 15, 2017 at 8:22 PM, Farasath Ahamed <[email protected]> > wrote: > >> Tested with Kernel 4.4.16, -Dhttpclient.hostnameVerifier=AllowAll >> parameter is honoured and worked fine. >> > > I had an offline discussion with Chandana and Thusitha and go to know that > *-Dhttpclient.hostnameVerifier=AllowAll* is not supported in kernel as of > now (upto 4.4.16) and will be supported in 4.4.17. Therefore my earlier > conclusion saying that kernel 4.4.16 parameter is honoured is incorrect. > But our documentation says that we support this from 4.4.11 which need to > be corrected immediately :) > > But going throught the startup script we do have a parameter > *-Dorg.wso2.ignoreHostnameVerification=true* in kernel 4.4.16. Did a > quick search and this parameter was used in Kernel 4.4.6 to disable > hostname verification. Therefore I think that is how I was able to get my > scenario working with a hostname without changing certs (ie. turn off > hostname verification). > > But even though we have the necessary fixes to support > *-Dhttpclient.hostnameVerifier=AllowAll > *in kernel 4.4.17 with commons-httpclient_3.1.0.wso2v6 orbit it doesn't > seem to honour the *-Dhttpclient.hostnameVerifier *parameter. > > I did a quick debug with commons-httpclient_3.1.0.wso2v6 and the method > to verify hostname[1] was never hit :( > > > [1] https://github.com/wso2/wso2-commons-httpclient/blob/ > v3.1.0-wso2v6/commons-httpclient/src/main/java/org/ > apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java#L286 > > >> >> Farasath Ahamed >> Software Engineer, WSO2 Inc.; http://wso2.com >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> <http://wso2.com/signature> >> >> >> >> On Tue, Aug 15, 2017 at 7:58 PM, Harsha Thirimanna <[email protected]> >> wrote: >> >>> >>> >>> On 15 Aug 2017 7:43 pm, "Farasath Ahamed" <[email protected]> wrote: >>> >>> Tried to do $subject following [1] on a IS 5.4.0-SNAPSHOT pack with >>> kernel 4.4.17-SNAPSHOT. I still see hostname validation errors after >>> running the server with, >>> -Dhttpclient.hostnameVerifier=AllowAll >>> >>> >>> You don't get this error with the IS pack with kernal 4.4.16 ? Could you >>> please check that Farasath ? >>> Then we can isolate this. >>> >>> >>> >>> [2017-08-15 19:36:52,561] ERROR >>> {org.apache.catalina.core.StandardWrapperValve} >>> - Servlet.service() for servlet [default] in context with path >>> [/authenticationendpoint] threw exception >>> java.io.IOException: javax.net.ssl.SSLHandshakeException: >>> java.security.cert.CertificateException: No name matching idp.wso2.com >>> found >>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>> etWrapper.java:467) >>> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServl >>> et.java:395) >>> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:303) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:208) >>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >>> r.java:52) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:241) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:208) >>> at org.apache.catalina.core.ApplicationDispatcher.invoke(Applic >>> ationDispatcher.java:743) >>> at org.apache.catalina.core.ApplicationDispatcher.processReques >>> t(ApplicationDispatcher.java:485) >>> at org.apache.catalina.core.ApplicationDispatcher.doForward(App >>> licationDispatcher.java:410) >>> at org.apache.catalina.core.ApplicationDispatcher.forward(Appli >>> cationDispatcher.java:337) >>> at org.wso2.carbon.identity.application.authentication.endpoint >>> .util.filter.AuthenticationEndpointFilter.doFilter(Authentic >>> ationEndpointFilter.java:161) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:241) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:208) >>> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte >>> r(HttpHeaderSecurityFilter.java:124) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:241) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:208) >>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >>> dWrapperValve.java:218) >>> at org.apache.catalina.core.StandardContextValve.invoke(Standar >>> dContextValve.java:110) >>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A >>> uthenticatorBase.java:506) >>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >>> stValve.java:169) >>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >>> rtValve.java:103) >>> at org.wso2.carbon.identity.context.rewrite.valve.TenantContext >>> RewriteValve.invoke(TenantContextRewriteValve.java:80) >>> at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invo >>> ke(AuthorizationValve.java:91) >>> at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invo >>> ke(AuthenticationValve.java:60) >>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInv >>> ocation(CompositeValve.java:99) >>> at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke >>> (CarbonTomcatValve.java:47) >>> at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(Tena >>> ntLazyLoaderValve.java:57) >>> at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invok >>> eValves(TomcatValveContainer.java:47) >>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(Comp >>> ositeValve.java:62) >>> at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetection >>> Valve.invoke(CarbonStuckThreadDetectionValve.java:159) >>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogVa >>> lve.java:962) >>> at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve. >>> invoke(CarbonContextCreatorValve.java:57) >>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >>> EngineValve.java:116) >>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >>> apter.java:445) >>> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs >>> tractHttp11Processor.java:1115) >>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler >>> .process(AbstractProtocol.java:637) >>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>> (NioEndpoint.java:1770) >>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(N >>> ioEndpoint.java:1729) >>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.r >>> un(TaskThread.java:61) >>> at java.lang.Thread.run(Thread.java:748) >>> Caused by: javax.net.ssl.SSLHandshakeException: >>> java.security.cert.CertificateException: No name matching idp.wso2.com >>> found >>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>> ndshaker.java:1514) >>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands >>> haker.java:216) >>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) >>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) >>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) >>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo >>> cketImpl.java:1375) >>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>> java:1403) >>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>> java:1387) >>> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsCli >>> ent.java:559) >>> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnectio >>> n.connect(AbstractDelegateHttpsURLConnection.java:185) >>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Ht >>> tpsURLConnectionImpl.java:153) >>> at org.apache.jsp.login_jsp._jspService(login_jsp.java:777) >>> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>> etWrapper.java:439) >>> ... 44 more >>> Caused by: java.security.cert.CertificateException: No name matching >>> idp.wso2.com found >>> at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:221) >>> at sun.security.util.HostnameChecker.match(HostnameChecker.java:95) >>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>> tManagerImpl.java:455) >>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>> tManagerImpl.java:436) >>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust >>> ManagerImpl.java:200) >>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50 >>> 9TrustManagerImpl.java:124) >>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>> ndshaker.java:1496) >>> ... 58 more >>> >>> >>> Is the information in [1] still valid? >>> >>> Chandana pointed out there has been a http client version upgrade in >>> Kernel 4.4.17. Could this be a reason for this? >>> >>> >>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName >>> +Verification >>> >>> >>> Thanks, >>> Farasath Ahamed >>> Software Engineer, WSO2 Inc.; http://wso2.com >>> Mobile: +94777603866 >>> Blog: blog.farazath.com >>> Twitter: @farazath619 <https://twitter.com/farazath619> >>> <http://wso2.com/signature> >>> >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >>> >> > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Best Regards, Nuwandi Wickramasinghe Software Engineer WSO2 Inc. Web : http://wso2.com Mobile : 0719214873
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
