Hi Could you please point the fix you have made to address this issue?
Regards, Chandana On Thu, Aug 17, 2017 at 7:20 AM, Muhammed Shariq <[email protected]> wrote: > On Wed, Aug 16, 2017 at 11:45 PM, Kishanthan Thangarajah < > [email protected]> wrote: > >> >> >> On Wed, Aug 16, 2017 at 9:48 PM, Nuwandi Wickramasinghe < >> [email protected]> wrote: >> >>> Hi all, >>> >>> With the latest IS pack built with kernel 4.4.17-SNAPSHOT, we can >>> successfully turn off the hostname verification with >>> *-Dhttpclient.hostnameVerifier=AllowAll*. >>> >> >> What was the original issue? Farasath has followed the same steps (IS >> with 4.4.17-SNAPSHOT) and mentioned that the above property was not working >> according to the mail above. >> >> >>> Need to do some code changes from Identity Server side to make the newly >>> introduced property effective for some components. >>> >> >> What are the code changes? This property is only used in httpclient >> coming from kernel. So why changes are required at IS side? >> > > Prior to kernel 4.4.17 there was a property > *-Dorg.wso2.ignoreHostnameVerification=true > *that was used to disable hostname verification. IINM, the issue here is > some components use this property to disable hostname verification, but > since it's that property has been removed since 4.4.17 that might be > causing some issue, so they are investigating on IS side. > > Nuwandi / Fara - correct me if I am wrong. > >> >> >>> Since no improvement is needed from kernel side, can we please go ahead >>> with the kernel 4.4.17 release? >>> >>> *-Dhttpclient.hostnameVerifier *is only applicable since 4.4.17, but >>> our documentation says it's applicable from 4.4.10 ([1]). Better to fix the >>> documentation as well. Reopened [2] since the doc need to be corrected. >>> >>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName >>> +Verification >>> [2] https://wso2.org/jira/browse/DOCUMENTATION-4071 >>> >>> thanks >>> Nuwandi >>> >>> On Wed, Aug 16, 2017 at 5:39 PM, Farasath Ahamed <[email protected]> >>> wrote: >>> >>>> >>>> >>>> >>>> On Tue, Aug 15, 2017 at 8:22 PM, Farasath Ahamed <[email protected]> >>>> wrote: >>>> >>>>> Tested with Kernel 4.4.16, -Dhttpclient.hostnameVerifier=AllowAll >>>>> parameter is honoured and worked fine. >>>>> >>>> >>>> I had an offline discussion with Chandana and Thusitha and go to know >>>> that *-Dhttpclient.hostnameVerifier=AllowAll* is not supported in >>>> kernel as of now (upto 4.4.16) and will be supported in 4.4.17. Therefore >>>> my earlier conclusion saying that kernel 4.4.16 parameter is honoured is >>>> incorrect. But our documentation says that we support this from 4.4.11 >>>> which need to be corrected immediately :) >>>> >>>> But going throught the startup script we do have a parameter >>>> *-Dorg.wso2.ignoreHostnameVerification=true* in kernel 4.4.16. Did a >>>> quick search and this parameter was used in Kernel 4.4.6 to disable >>>> hostname verification. Therefore I think that is how I was able to get my >>>> scenario working with a hostname without changing certs (ie. turn off >>>> hostname verification). >>>> >>>> But even though we have the necessary fixes to support >>>> *-Dhttpclient.hostnameVerifier=AllowAll >>>> *in kernel 4.4.17 with commons-httpclient_3.1.0.wso2v6 orbit it >>>> doesn't seem to honour the *-Dhttpclient.hostnameVerifier *parameter. >>>> >>>> I did a quick debug with commons-httpclient_3.1.0.wso2v6 and the >>>> method to verify hostname[1] was never hit :( >>>> >>>> >>>> [1] https://github.com/wso2/wso2-commons-httpclient/blob/v3. >>>> 1.0-wso2v6/commons-httpclient/src/main/java/org/apache/commo >>>> ns/httpclient/protocol/SSLProtocolSocketFactory.java#L286 >>>> >>>> >>>>> >>>>> Farasath Ahamed >>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>> Mobile: +94777603866 >>>>> Blog: blog.farazath.com >>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>> <http://wso2.com/signature> >>>>> >>>>> >>>>> >>>>> On Tue, Aug 15, 2017 at 7:58 PM, Harsha Thirimanna <[email protected]> >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On 15 Aug 2017 7:43 pm, "Farasath Ahamed" <[email protected]> wrote: >>>>>> >>>>>> Tried to do $subject following [1] on a IS 5.4.0-SNAPSHOT pack with >>>>>> kernel 4.4.17-SNAPSHOT. I still see hostname validation errors after >>>>>> running the server with, >>>>>> -Dhttpclient.hostnameVerifier=AllowAll >>>>>> >>>>>> >>>>>> You don't get this error with the IS pack with kernal 4.4.16 ? Could >>>>>> you please check that Farasath ? >>>>>> Then we can isolate this. >>>>>> >>>>>> >>>>>> >>>>>> [2017-08-15 19:36:52,561] ERROR >>>>>> {org.apache.catalina.core.StandardWrapperValve} >>>>>> - Servlet.service() for servlet [default] in context with path >>>>>> [/authenticationendpoint] threw exception >>>>>> java.io.IOException: javax.net.ssl.SSLHandshakeException: >>>>>> java.security.cert.CertificateException: No name matching >>>>>> idp.wso2.com found >>>>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>>>>> etWrapper.java:467) >>>>>> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServl >>>>>> et.java:395) >>>>>> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339) >>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>> lter(ApplicationFilterChain.java:303) >>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>> licationFilterChain.java:208) >>>>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >>>>>> r.java:52) >>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>> lter(ApplicationFilterChain.java:241) >>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>> licationFilterChain.java:208) >>>>>> at org.apache.catalina.core.ApplicationDispatcher.invoke(Applic >>>>>> ationDispatcher.java:743) >>>>>> at org.apache.catalina.core.ApplicationDispatcher.processReques >>>>>> t(ApplicationDispatcher.java:485) >>>>>> at org.apache.catalina.core.ApplicationDispatcher.doForward(App >>>>>> licationDispatcher.java:410) >>>>>> at org.apache.catalina.core.ApplicationDispatcher.forward(Appli >>>>>> cationDispatcher.java:337) >>>>>> at org.wso2.carbon.identity.application.authentication.endpoint >>>>>> .util.filter.AuthenticationEndpointFilter.doFilter(Authentic >>>>>> ationEndpointFilter.java:161) >>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>> lter(ApplicationFilterChain.java:241) >>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>> licationFilterChain.java:208) >>>>>> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte >>>>>> r(HttpHeaderSecurityFilter.java:124) >>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>> lter(ApplicationFilterChain.java:241) >>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>> licationFilterChain.java:208) >>>>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >>>>>> dWrapperValve.java:218) >>>>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar >>>>>> dContextValve.java:110) >>>>>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A >>>>>> uthenticatorBase.java:506) >>>>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >>>>>> stValve.java:169) >>>>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >>>>>> rtValve.java:103) >>>>>> at org.wso2.carbon.identity.context.rewrite.valve.TenantContext >>>>>> RewriteValve.invoke(TenantContextRewriteValve.java:80) >>>>>> at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invo >>>>>> ke(AuthorizationValve.java:91) >>>>>> at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invo >>>>>> ke(AuthenticationValve.java:60) >>>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInv >>>>>> ocation(CompositeValve.java:99) >>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke >>>>>> (CarbonTomcatValve.java:47) >>>>>> at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(Tena >>>>>> ntLazyLoaderValve.java:57) >>>>>> at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invok >>>>>> eValves(TomcatValveContainer.java:47) >>>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(Comp >>>>>> ositeValve.java:62) >>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetection >>>>>> Valve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>>>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogVa >>>>>> lve.java:962) >>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve. >>>>>> invoke(CarbonContextCreatorValve.java:57) >>>>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >>>>>> EngineValve.java:116) >>>>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >>>>>> apter.java:445) >>>>>> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs >>>>>> tractHttp11Processor.java:1115) >>>>>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler >>>>>> .process(AbstractProtocol.java:637) >>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>>>>> (NioEndpoint.java:1770) >>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(N >>>>>> ioEndpoint.java:1729) >>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>> Executor.java:1142) >>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>> lExecutor.java:617) >>>>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.r >>>>>> un(TaskThread.java:61) >>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>>>> java.security.cert.CertificateException: No name matching >>>>>> idp.wso2.com found >>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >>>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>>>> ndshaker.java:1514) >>>>>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands >>>>>> haker.java:216) >>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) >>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) >>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) >>>>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo >>>>>> cketImpl.java:1375) >>>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>>>> java:1403) >>>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>>>> java:1387) >>>>>> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsCli >>>>>> ent.java:559) >>>>>> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnectio >>>>>> n.connect(AbstractDelegateHttpsURLConnection.java:185) >>>>>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Ht >>>>>> tpsURLConnectionImpl.java:153) >>>>>> at org.apache.jsp.login_jsp._jspService(login_jsp.java:777) >>>>>> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) >>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>>>>> etWrapper.java:439) >>>>>> ... 44 more >>>>>> Caused by: java.security.cert.CertificateException: No name matching >>>>>> idp.wso2.com found >>>>>> at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.j >>>>>> ava:221) >>>>>> at sun.security.util.HostnameChecker.match(HostnameChecker.java:95) >>>>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>>>>> tManagerImpl.java:455) >>>>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>>>>> tManagerImpl.java:436) >>>>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust >>>>>> ManagerImpl.java:200) >>>>>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50 >>>>>> 9TrustManagerImpl.java:124) >>>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>>>> ndshaker.java:1496) >>>>>> ... 58 more >>>>>> >>>>>> >>>>>> Is the information in [1] still valid? >>>>>> >>>>>> Chandana pointed out there has been a http client version upgrade in >>>>>> Kernel 4.4.17. Could this be a reason for this? >>>>>> >>>>>> >>>>>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName >>>>>> +Verification >>>>>> >>>>>> >>>>>> Thanks, >>>>>> Farasath Ahamed >>>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>>> Mobile: +94777603866 >>>>>> Blog: blog.farazath.com >>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>> <http://wso2.com/signature> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> [email protected] >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> >>> Best Regards, >>> >>> Nuwandi Wickramasinghe >>> >>> Software Engineer >>> >>> WSO2 Inc. >>> >>> Web : http://wso2.com >>> >>> Mobile : 0719214873 <071%20921%204873> >>> >> >> >> >> -- >> *Kishanthan Thangarajah* >> Technical Lead, >> Platform Technologies Team, >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - +94773426635 <+94%2077%20342%206635> >> Blog - *http://kishanthan.wordpress.com >> <http://kishanthan.wordpress.com>* >> Twitter - *http://twitter.com/kishanthan <http://twitter.com/kishanthan>* >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Thanks, > Shariq > Associate Technical Lead > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Chandana Napagoda* Associate Technical Lead WSO2 Inc. - http://wso2.org *Email : [email protected] <[email protected]>**Mobile : +94718169299* *Blog : http://blog.napagoda.com <http://blog.napagoda.com> | http://chandana.napagoda.com <http://chandana.napagoda.com>* *Linkedin : http://www.linkedin.com/in/chandananapagoda <http://www.linkedin.com/in/chandananapagoda>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
