Hi, On Thu, Aug 17, 2017 at 7:49 AM, Chandana Napagoda <[email protected]> wrote:
> Hi > > Could you please point the fix you have made to address this issue? > As Shariq mentioned, *org.wso2.ignoreHostnameVerification *property was removed from Kernel 4.4.17 onwards. With PR [1], commons-httpclient library coming from kernel will handle host name verification by itself. The property *org.wso2.ignoreHostnameVerification* is replaced by *httpclient.hostnameVerifier*. The possible values for *httpclient.hostnameVerifier *is as described below: - DefaultAndLocalhost - Verify host name without being strict with sub-domains (*.foo.com is allowed to match with a.b.foo.com) and also allow local host - AllowAll - Allows all hosts - Strict - Verify all hosts while being strict with sub-domains (*. foo.com is not allowed to match with a.b.foo.com) Example: httpclient.hostnameVerifier="Strict" By default, host name verification will happen for all hosts without being strict with sub-domains (*.foo.com is allowed to match with a.b.foo.com) Since host name verification is handled by the commons-httpclient library coming from the kernel (with PR [1]), other components do not need to worry about handling host name verification. For instance, handling host name verification is removed from the jaggery component in PR [2]. [1] https://github.com/wso2/wso2-commons-httpclient/pull/5 [2] https://github.com/wso2/jaggery/pull/174/ > > Regards, > Chandana > > On Thu, Aug 17, 2017 at 7:20 AM, Muhammed Shariq <[email protected]> wrote: > >> On Wed, Aug 16, 2017 at 11:45 PM, Kishanthan Thangarajah < >> [email protected]> wrote: >> >>> >>> >>> On Wed, Aug 16, 2017 at 9:48 PM, Nuwandi Wickramasinghe < >>> [email protected]> wrote: >>> >>>> Hi all, >>>> >>>> With the latest IS pack built with kernel 4.4.17-SNAPSHOT, we can >>>> successfully turn off the hostname verification with >>>> *-Dhttpclient.hostnameVerifier=AllowAll*. >>>> >>> >>> What was the original issue? Farasath has followed the same steps (IS >>> with 4.4.17-SNAPSHOT) and mentioned that the above property was not working >>> according to the mail above. >>> >>> >>>> Need to do some code changes from Identity Server side to make the >>>> newly introduced property effective for some components. >>>> >>> >>> What are the code changes? This property is only used in httpclient >>> coming from kernel. So why changes are required at IS side? >>> >> >> Prior to kernel 4.4.17 there was a property >> *-Dorg.wso2.ignoreHostnameVerification=true >> *that was used to disable hostname verification. IINM, the issue here is >> some components use this property to disable hostname verification, but >> since it's that property has been removed since 4.4.17 that might be >> causing some issue, so they are investigating on IS side. >> >> Nuwandi / Fara - correct me if I am wrong. >> >>> >>> >>>> Since no improvement is needed from kernel side, can we please go ahead >>>> with the kernel 4.4.17 release? >>>> >>>> *-Dhttpclient.hostnameVerifier *is only applicable since 4.4.17, but >>>> our documentation says it's applicable from 4.4.10 ([1]). Better to fix the >>>> documentation as well. Reopened [2] since the doc need to be corrected. >>>> >>>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName >>>> +Verification >>>> [2] https://wso2.org/jira/browse/DOCUMENTATION-4071 >>>> >>>> thanks >>>> Nuwandi >>>> >>>> On Wed, Aug 16, 2017 at 5:39 PM, Farasath Ahamed <[email protected]> >>>> wrote: >>>> >>>>> >>>>> >>>>> >>>>> On Tue, Aug 15, 2017 at 8:22 PM, Farasath Ahamed <[email protected]> >>>>> wrote: >>>>> >>>>>> Tested with Kernel 4.4.16, -Dhttpclient.hostnameVerifier=AllowAll >>>>>> parameter is honoured and worked fine. >>>>>> >>>>> >>>>> I had an offline discussion with Chandana and Thusitha and go to know >>>>> that *-Dhttpclient.hostnameVerifier=AllowAll* is not supported in >>>>> kernel as of now (upto 4.4.16) and will be supported in 4.4.17. Therefore >>>>> my earlier conclusion saying that kernel 4.4.16 parameter is honoured is >>>>> incorrect. But our documentation says that we support this from 4.4.11 >>>>> which need to be corrected immediately :) >>>>> >>>>> But going throught the startup script we do have a parameter >>>>> *-Dorg.wso2.ignoreHostnameVerification=true* in kernel 4.4.16. Did a >>>>> quick search and this parameter was used in Kernel 4.4.6 to disable >>>>> hostname verification. Therefore I think that is how I was able to get my >>>>> scenario working with a hostname without changing certs (ie. turn off >>>>> hostname verification). >>>>> >>>>> But even though we have the necessary fixes to support >>>>> *-Dhttpclient.hostnameVerifier=AllowAll >>>>> *in kernel 4.4.17 with commons-httpclient_3.1.0.wso2v6 orbit it >>>>> doesn't seem to honour the *-Dhttpclient.hostnameVerifier *parameter. >>>>> >>>>> I did a quick debug with commons-httpclient_3.1.0.wso2v6 and the >>>>> method to verify hostname[1] was never hit :( >>>>> >>>>> >>>>> [1] https://github.com/wso2/wso2-commons-httpclient/blob/v3. >>>>> 1.0-wso2v6/commons-httpclient/src/main/java/org/apache/commo >>>>> ns/httpclient/protocol/SSLProtocolSocketFactory.java#L286 >>>>> >>>>> >>>>>> >>>>>> Farasath Ahamed >>>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>>> Mobile: +94777603866 >>>>>> Blog: blog.farazath.com >>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>> <http://wso2.com/signature> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Aug 15, 2017 at 7:58 PM, Harsha Thirimanna <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On 15 Aug 2017 7:43 pm, "Farasath Ahamed" <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> Tried to do $subject following [1] on a IS 5.4.0-SNAPSHOT pack with >>>>>>> kernel 4.4.17-SNAPSHOT. I still see hostname validation errors after >>>>>>> running the server with, >>>>>>> -Dhttpclient.hostnameVerifier=AllowAll >>>>>>> >>>>>>> >>>>>>> You don't get this error with the IS pack with kernal 4.4.16 ? Could >>>>>>> you please check that Farasath ? >>>>>>> Then we can isolate this. >>>>>>> >>>>>>> >>>>>>> >>>>>>> [2017-08-15 19:36:52,561] ERROR >>>>>>> {org.apache.catalina.core.StandardWrapperValve} >>>>>>> - Servlet.service() for servlet [default] in context with path >>>>>>> [/authenticationendpoint] threw exception >>>>>>> java.io.IOException: javax.net.ssl.SSLHandshakeException: >>>>>>> java.security.cert.CertificateException: No name matching >>>>>>> idp.wso2.com found >>>>>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>>>>>> etWrapper.java:467) >>>>>>> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServl >>>>>>> et.java:395) >>>>>>> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339) >>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>> lter(ApplicationFilterChain.java:303) >>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>> licationFilterChain.java:208) >>>>>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >>>>>>> r.java:52) >>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>> lter(ApplicationFilterChain.java:241) >>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>> licationFilterChain.java:208) >>>>>>> at org.apache.catalina.core.ApplicationDispatcher.invoke(Applic >>>>>>> ationDispatcher.java:743) >>>>>>> at org.apache.catalina.core.ApplicationDispatcher.processReques >>>>>>> t(ApplicationDispatcher.java:485) >>>>>>> at org.apache.catalina.core.ApplicationDispatcher.doForward(App >>>>>>> licationDispatcher.java:410) >>>>>>> at org.apache.catalina.core.ApplicationDispatcher.forward(Appli >>>>>>> cationDispatcher.java:337) >>>>>>> at org.wso2.carbon.identity.application.authentication.endpoint >>>>>>> .util.filter.AuthenticationEndpointFilter.doFilter(Authentic >>>>>>> ationEndpointFilter.java:161) >>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>> lter(ApplicationFilterChain.java:241) >>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>> licationFilterChain.java:208) >>>>>>> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte >>>>>>> r(HttpHeaderSecurityFilter.java:124) >>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>> lter(ApplicationFilterChain.java:241) >>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>> licationFilterChain.java:208) >>>>>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >>>>>>> dWrapperValve.java:218) >>>>>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar >>>>>>> dContextValve.java:110) >>>>>>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A >>>>>>> uthenticatorBase.java:506) >>>>>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >>>>>>> stValve.java:169) >>>>>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >>>>>>> rtValve.java:103) >>>>>>> at org.wso2.carbon.identity.context.rewrite.valve.TenantContext >>>>>>> RewriteValve.invoke(TenantContextRewriteValve.java:80) >>>>>>> at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invo >>>>>>> ke(AuthorizationValve.java:91) >>>>>>> at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invo >>>>>>> ke(AuthenticationValve.java:60) >>>>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInv >>>>>>> ocation(CompositeValve.java:99) >>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke >>>>>>> (CarbonTomcatValve.java:47) >>>>>>> at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(Tena >>>>>>> ntLazyLoaderValve.java:57) >>>>>>> at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invok >>>>>>> eValves(TomcatValveContainer.java:47) >>>>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(Comp >>>>>>> ositeValve.java:62) >>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetection >>>>>>> Valve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>>>>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogVa >>>>>>> lve.java:962) >>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve. >>>>>>> invoke(CarbonContextCreatorValve.java:57) >>>>>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >>>>>>> EngineValve.java:116) >>>>>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >>>>>>> apter.java:445) >>>>>>> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs >>>>>>> tractHttp11Processor.java:1115) >>>>>>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler >>>>>>> .process(AbstractProtocol.java:637) >>>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>>>>>> (NioEndpoint.java:1770) >>>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(N >>>>>>> ioEndpoint.java:1729) >>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>>> Executor.java:1142) >>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>>> lExecutor.java:617) >>>>>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.r >>>>>>> un(TaskThread.java:61) >>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>>>>> java.security.cert.CertificateException: No name matching >>>>>>> idp.wso2.com found >>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >>>>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>>>>> ndshaker.java:1514) >>>>>>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands >>>>>>> haker.java:216) >>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) >>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) >>>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java >>>>>>> :1062) >>>>>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo >>>>>>> cketImpl.java:1375) >>>>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>>>>> java:1403) >>>>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>>>>> java:1387) >>>>>>> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsCli >>>>>>> ent.java:559) >>>>>>> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnectio >>>>>>> n.connect(AbstractDelegateHttpsURLConnection.java:185) >>>>>>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Ht >>>>>>> tpsURLConnectionImpl.java:153) >>>>>>> at org.apache.jsp.login_jsp._jspService(login_jsp.java:777) >>>>>>> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.ja >>>>>>> va:70) >>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>>>>>> etWrapper.java:439) >>>>>>> ... 44 more >>>>>>> Caused by: java.security.cert.CertificateException: No name >>>>>>> matching idp.wso2.com found >>>>>>> at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.j >>>>>>> ava:221) >>>>>>> at sun.security.util.HostnameChecker.match(HostnameChecker.java:95) >>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>>>>>> tManagerImpl.java:455) >>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>>>>>> tManagerImpl.java:436) >>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust >>>>>>> ManagerImpl.java:200) >>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50 >>>>>>> 9TrustManagerImpl.java:124) >>>>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>>>>> ndshaker.java:1496) >>>>>>> ... 58 more >>>>>>> >>>>>>> >>>>>>> Is the information in [1] still valid? >>>>>>> >>>>>>> Chandana pointed out there has been a http client version upgrade in >>>>>>> Kernel 4.4.17. Could this be a reason for this? >>>>>>> >>>>>>> >>>>>>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName >>>>>>> +Verification >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> Farasath Ahamed >>>>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>>>> Mobile: +94777603866 >>>>>>> Blog: blog.farazath.com >>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>> <http://wso2.com/signature> >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> [email protected] >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> Best Regards, >>>> >>>> Nuwandi Wickramasinghe >>>> >>>> Software Engineer >>>> >>>> WSO2 Inc. >>>> >>>> Web : http://wso2.com >>>> >>>> Mobile : 0719214873 <071%20921%204873> >>>> >>> >>> >>> >>> -- >>> *Kishanthan Thangarajah* >>> Technical Lead, >>> Platform Technologies Team, >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile - +94773426635 <+94%2077%20342%206635> >>> Blog - *http://kishanthan.wordpress.com >>> <http://kishanthan.wordpress.com>* >>> Twitter - *http://twitter.com/kishanthan >>> <http://twitter.com/kishanthan>* >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Thanks, >> Shariq >> Associate Technical Lead >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > *Chandana Napagoda* > Associate Technical Lead > WSO2 Inc. - http://wso2.org > > *Email : [email protected] <[email protected]>**Mobile : +94718169299 > <+94%2071%20816%209299>* > > *Blog : http://blog.napagoda.com <http://blog.napagoda.com> | > http://chandana.napagoda.com <http://chandana.napagoda.com>* > > *Linkedin : http://www.linkedin.com/in/chandananapagoda > <http://www.linkedin.com/in/chandananapagoda>* > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > Best Regards, Vidura Nanayakkara -- Best Regards, *Vidura Nanayakkara* Software Engineer Email : [email protected] Mobile : +94 (0) 717 919277 Web : http://wso2.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
