Hi Kishanthan, The documentation for enabling the host names (using *httpclient.hostnameVerifier *property) is already available in [1] (old configuration is also removed from the docs).
[1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName+Verification Best Regards, ViduraNanayakkara On Fri, Aug 18, 2017 at 12:26 PM, Kishanthan Thangarajah < [email protected]> wrote: > Hi ViduraN, > > Shall we make sure that all the above information is captured in the > documentation? > > Thanks, > > On Thu, Aug 17, 2017 at 3:22 PM, Vidura Nanayakkara <[email protected]> > wrote: > >> Hi, >> >> On Thu, Aug 17, 2017 at 7:49 AM, Chandana Napagoda <[email protected]> >> wrote: >> >>> Hi >>> >>> Could you please point the fix you have made to address this issue? >>> >> >> As Shariq mentioned, *org.wso2.ignoreHostnameVerification *property was >> removed from Kernel 4.4.17 onwards. With PR [1], commons-httpclient >> library coming from kernel will handle host name verification by itself. >> The property *org.wso2.ignoreHostnameVerification* is replaced by >> *httpclient.hostnameVerifier*. The possible values for >> *httpclient.hostnameVerifier *is as described below: >> >> - DefaultAndLocalhost - Verify host name without being strict with >> sub-domains (*.foo.com is allowed to match with a.b.foo.com) and also >> allow local host >> - AllowAll - Allows all hosts >> - Strict - Verify all hosts while being strict with sub-domains (*. >> foo.com is not allowed to match with a.b.foo.com) >> >> Example: httpclient.hostnameVerifier="Strict" >> >> By default, host name verification will happen for all hosts without >> being strict with sub-domains (*.foo.com is allowed to match with >> a.b.foo.com) >> >> Since host name verification is handled by the commons-httpclient library >> coming from the kernel (with PR [1]), other components do not need to worry >> about handling host name verification. For instance, handling host name >> verification is removed from the jaggery component in PR [2]. >> >> [1] https://github.com/wso2/wso2-commons-httpclient/pull/5 >> [2] https://github.com/wso2/jaggery/pull/174/ >> >> >>> >>> Regards, >>> Chandana >>> >>> On Thu, Aug 17, 2017 at 7:20 AM, Muhammed Shariq <[email protected]> >>> wrote: >>> >>>> On Wed, Aug 16, 2017 at 11:45 PM, Kishanthan Thangarajah < >>>> [email protected]> wrote: >>>> >>>>> >>>>> >>>>> On Wed, Aug 16, 2017 at 9:48 PM, Nuwandi Wickramasinghe < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> With the latest IS pack built with kernel 4.4.17-SNAPSHOT, we can >>>>>> successfully turn off the hostname verification with >>>>>> *-Dhttpclient.hostnameVerifier=AllowAll*. >>>>>> >>>>> >>>>> What was the original issue? Farasath has followed the same steps (IS >>>>> with 4.4.17-SNAPSHOT) and mentioned that the above property was not >>>>> working >>>>> according to the mail above. >>>>> >>>>> >>>>>> Need to do some code changes from Identity Server side to make the >>>>>> newly introduced property effective for some components. >>>>>> >>>>> >>>>> What are the code changes? This property is only used in httpclient >>>>> coming from kernel. So why changes are required at IS side? >>>>> >>>> >>>> Prior to kernel 4.4.17 there was a property >>>> *-Dorg.wso2.ignoreHostnameVerification=true >>>> *that was used to disable hostname verification. IINM, the issue here >>>> is some components use this property to disable hostname verification, but >>>> since it's that property has been removed since 4.4.17 that might be >>>> causing some issue, so they are investigating on IS side. >>>> >>>> Nuwandi / Fara - correct me if I am wrong. >>>> >>>>> >>>>> >>>>>> Since no improvement is needed from kernel side, can we please go >>>>>> ahead with the kernel 4.4.17 release? >>>>>> >>>>>> *-Dhttpclient.hostnameVerifier *is only applicable since 4.4.17, but >>>>>> our documentation says it's applicable from 4.4.10 ([1]). Better to fix >>>>>> the >>>>>> documentation as well. Reopened [2] since the doc need to be corrected. >>>>>> >>>>>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName >>>>>> +Verification >>>>>> [2] https://wso2.org/jira/browse/DOCUMENTATION-4071 >>>>>> >>>>>> thanks >>>>>> Nuwandi >>>>>> >>>>>> On Wed, Aug 16, 2017 at 5:39 PM, Farasath Ahamed <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Aug 15, 2017 at 8:22 PM, Farasath Ahamed <[email protected] >>>>>>> > wrote: >>>>>>> >>>>>>>> Tested with Kernel 4.4.16, -Dhttpclient.hostnameVerifier=AllowAll >>>>>>>> parameter is honoured and worked fine. >>>>>>>> >>>>>>> >>>>>>> I had an offline discussion with Chandana and Thusitha and go to >>>>>>> know that *-Dhttpclient.hostnameVerifier=AllowAll* is not supported >>>>>>> in kernel as of now (upto 4.4.16) and will be supported in 4.4.17. >>>>>>> Therefore my earlier conclusion saying that kernel 4.4.16 parameter is >>>>>>> honoured is incorrect. But our documentation says that we support this >>>>>>> from >>>>>>> 4.4.11 which need to be corrected immediately :) >>>>>>> >>>>>>> But going throught the startup script we do have a parameter >>>>>>> *-Dorg.wso2.ignoreHostnameVerification=true* in kernel 4.4.16. Did >>>>>>> a quick search and this parameter was used in Kernel 4.4.6 to disable >>>>>>> hostname verification. Therefore I think that is how I was able to get >>>>>>> my >>>>>>> scenario working with a hostname without changing certs (ie. turn off >>>>>>> hostname verification). >>>>>>> >>>>>>> But even though we have the necessary fixes to support >>>>>>> *-Dhttpclient.hostnameVerifier=AllowAll >>>>>>> *in kernel 4.4.17 with commons-httpclient_3.1.0.wso2v6 orbit it >>>>>>> doesn't seem to honour the *-Dhttpclient.hostnameVerifier * >>>>>>> parameter. >>>>>>> >>>>>>> I did a quick debug with commons-httpclient_3.1.0.wso2v6 and the >>>>>>> method to verify hostname[1] was never hit :( >>>>>>> >>>>>>> >>>>>>> [1] https://github.com/wso2/wso2-commons-httpclient/blob/v3. >>>>>>> 1.0-wso2v6/commons-httpclient/src/main/java/org/apache/commo >>>>>>> ns/httpclient/protocol/SSLProtocolSocketFactory.java#L286 >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> Farasath Ahamed >>>>>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>>>>> Mobile: +94777603866 >>>>>>>> Blog: blog.farazath.com >>>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Aug 15, 2017 at 7:58 PM, Harsha Thirimanna < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 15 Aug 2017 7:43 pm, "Farasath Ahamed" <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Tried to do $subject following [1] on a IS 5.4.0-SNAPSHOT pack >>>>>>>>> with kernel 4.4.17-SNAPSHOT. I still see hostname validation errors >>>>>>>>> after >>>>>>>>> running the server with, >>>>>>>>> -Dhttpclient.hostnameVerifier=AllowAll >>>>>>>>> >>>>>>>>> >>>>>>>>> You don't get this error with the IS pack with kernal 4.4.16 ? >>>>>>>>> Could you please check that Farasath ? >>>>>>>>> Then we can isolate this. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> [2017-08-15 19:36:52,561] ERROR >>>>>>>>> {org.apache.catalina.core.StandardWrapperValve} >>>>>>>>> - Servlet.service() for servlet [default] in context with path >>>>>>>>> [/authenticationendpoint] threw exception >>>>>>>>> java.io.IOException: javax.net.ssl.SSLHandshakeException: >>>>>>>>> java.security.cert.CertificateException: No name matching >>>>>>>>> idp.wso2.com found >>>>>>>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>>>>>>>> etWrapper.java:467) >>>>>>>>> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServl >>>>>>>>> et.java:395) >>>>>>>>> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java >>>>>>>>> :339) >>>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>>>> lter(ApplicationFilterChain.java:303) >>>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>>>> licationFilterChain.java:208) >>>>>>>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >>>>>>>>> r.java:52) >>>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>>>> lter(ApplicationFilterChain.java:241) >>>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>>>> licationFilterChain.java:208) >>>>>>>>> at org.apache.catalina.core.ApplicationDispatcher.invoke(Applic >>>>>>>>> ationDispatcher.java:743) >>>>>>>>> at org.apache.catalina.core.ApplicationDispatcher.processReques >>>>>>>>> t(ApplicationDispatcher.java:485) >>>>>>>>> at org.apache.catalina.core.ApplicationDispatcher.doForward(App >>>>>>>>> licationDispatcher.java:410) >>>>>>>>> at org.apache.catalina.core.ApplicationDispatcher.forward(Appli >>>>>>>>> cationDispatcher.java:337) >>>>>>>>> at org.wso2.carbon.identity.application.authentication.endpoint >>>>>>>>> .util.filter.AuthenticationEndpointFilter.doFilter(Authentic >>>>>>>>> ationEndpointFilter.java:161) >>>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>>>> lter(ApplicationFilterChain.java:241) >>>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>>>> licationFilterChain.java:208) >>>>>>>>> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte >>>>>>>>> r(HttpHeaderSecurityFilter.java:124) >>>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>>>> lter(ApplicationFilterChain.java:241) >>>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>>>> licationFilterChain.java:208) >>>>>>>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >>>>>>>>> dWrapperValve.java:218) >>>>>>>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar >>>>>>>>> dContextValve.java:110) >>>>>>>>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A >>>>>>>>> uthenticatorBase.java:506) >>>>>>>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >>>>>>>>> stValve.java:169) >>>>>>>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >>>>>>>>> rtValve.java:103) >>>>>>>>> at org.wso2.carbon.identity.context.rewrite.valve.TenantContext >>>>>>>>> RewriteValve.invoke(TenantContextRewriteValve.java:80) >>>>>>>>> at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invo >>>>>>>>> ke(AuthorizationValve.java:91) >>>>>>>>> at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invo >>>>>>>>> ke(AuthenticationValve.java:60) >>>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInv >>>>>>>>> ocation(CompositeValve.java:99) >>>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke >>>>>>>>> (CarbonTomcatValve.java:47) >>>>>>>>> at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(Tena >>>>>>>>> ntLazyLoaderValve.java:57) >>>>>>>>> at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invok >>>>>>>>> eValves(TomcatValveContainer.java:47) >>>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(Comp >>>>>>>>> ositeValve.java:62) >>>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetection >>>>>>>>> Valve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>>>>>>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogVa >>>>>>>>> lve.java:962) >>>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve. >>>>>>>>> invoke(CarbonContextCreatorValve.java:57) >>>>>>>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >>>>>>>>> EngineValve.java:116) >>>>>>>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >>>>>>>>> apter.java:445) >>>>>>>>> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs >>>>>>>>> tractHttp11Processor.java:1115) >>>>>>>>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler >>>>>>>>> .process(AbstractProtocol.java:637) >>>>>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>>>>>>>> (NioEndpoint.java:1770) >>>>>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(N >>>>>>>>> ioEndpoint.java:1729) >>>>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>>>>> Executor.java:1142) >>>>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>>>>> lExecutor.java:617) >>>>>>>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.r >>>>>>>>> un(TaskThread.java:61) >>>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>>>>>>> java.security.cert.CertificateException: No name matching >>>>>>>>> idp.wso2.com found >>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >>>>>>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>>>>>>> ndshaker.java:1514) >>>>>>>>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands >>>>>>>>> haker.java:216) >>>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) >>>>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) >>>>>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java >>>>>>>>> :1062) >>>>>>>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo >>>>>>>>> cketImpl.java:1375) >>>>>>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>>>>>>> java:1403) >>>>>>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>>>>>>> java:1387) >>>>>>>>> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsCli >>>>>>>>> ent.java:559) >>>>>>>>> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnectio >>>>>>>>> n.connect(AbstractDelegateHttpsURLConnection.java:185) >>>>>>>>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Ht >>>>>>>>> tpsURLConnectionImpl.java:153) >>>>>>>>> at org.apache.jsp.login_jsp._jspService(login_jsp.java:777) >>>>>>>>> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.ja >>>>>>>>> va:70) >>>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>>>>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>>>>>>>> etWrapper.java:439) >>>>>>>>> ... 44 more >>>>>>>>> Caused by: java.security.cert.CertificateException: No name >>>>>>>>> matching idp.wso2.com found >>>>>>>>> at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.j >>>>>>>>> ava:221) >>>>>>>>> at sun.security.util.HostnameChecker.match(HostnameChecker.java >>>>>>>>> :95) >>>>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>>>>>>>> tManagerImpl.java:455) >>>>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>>>>>>>> tManagerImpl.java:436) >>>>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust >>>>>>>>> ManagerImpl.java:200) >>>>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50 >>>>>>>>> 9TrustManagerImpl.java:124) >>>>>>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>>>>>>> ndshaker.java:1496) >>>>>>>>> ... 58 more >>>>>>>>> >>>>>>>>> >>>>>>>>> Is the information in [1] still valid? >>>>>>>>> >>>>>>>>> Chandana pointed out there has been a http client version upgrade >>>>>>>>> in Kernel 4.4.17. Could this be a reason for this? >>>>>>>>> >>>>>>>>> >>>>>>>>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName >>>>>>>>> +Verification >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Farasath Ahamed >>>>>>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>>>>>> Mobile: +94777603866 >>>>>>>>> Blog: blog.farazath.com >>>>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>>>> <http://wso2.com/signature> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Dev mailing list >>>>>>>>> [email protected] >>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> [email protected] >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Best Regards, >>>>>> >>>>>> Nuwandi Wickramasinghe >>>>>> >>>>>> Software Engineer >>>>>> >>>>>> WSO2 Inc. >>>>>> >>>>>> Web : http://wso2.com >>>>>> >>>>>> Mobile : 0719214873 <071%20921%204873> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Kishanthan Thangarajah* >>>>> Technical Lead, >>>>> Platform Technologies Team, >>>>> WSO2, Inc. >>>>> lean.enterprise.middleware >>>>> >>>>> Mobile - +94773426635 <+94%2077%20342%206635> >>>>> Blog - *http://kishanthan.wordpress.com >>>>> <http://kishanthan.wordpress.com>* >>>>> Twitter - *http://twitter.com/kishanthan >>>>> <http://twitter.com/kishanthan>* >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Shariq >>>> Associate Technical Lead >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> *Chandana Napagoda* >>> Associate Technical Lead >>> WSO2 Inc. - http://wso2.org >>> >>> *Email : [email protected] <[email protected]>**Mobile : +94718169299 >>> <+94%2071%20816%209299>* >>> >>> *Blog : http://blog.napagoda.com <http://blog.napagoda.com> | >>> http://chandana.napagoda.com <http://chandana.napagoda.com>* >>> >>> *Linkedin : http://www.linkedin.com/in/chandananapagoda >>> <http://www.linkedin.com/in/chandananapagoda>* >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> Best Regards, >> Vidura Nanayakkara >> >> -- >> Best Regards, >> >> *Vidura Nanayakkara* >> Software Engineer >> >> Email : [email protected] >> Mobile : +94 (0) 717 919277 <+94%2071%20791%209277> >> Web : http://wso2.com >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > *Kishanthan Thangarajah* > Technical Lead, > Platform Technologies Team, > WSO2, Inc. > lean.enterprise.middleware > > Mobile - +94773426635 <+94%2077%20342%206635> > Blog - *http://kishanthan.wordpress.com <http://kishanthan.wordpress.com>* > Twitter - *http://twitter.com/kishanthan <http://twitter.com/kishanthan>* > -- Best Regards, *Vidura Nanayakkara* Software Engineer Email : [email protected] Mobile : +94 (0) 717 919277 Web : http://wso2.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
