Not all components are using the commons http client. Some are using java.net.HttpURLConnection. So, if a component uses that, then those need to be modified.
But, we could have handled that by registering a custom SSLSocketFactory to HttpURLConnection by looking at the parameter value of httpclient.hostnameVerifier. See [1] for an example. May be this is already done? Btw, we should not remove the previous property in a patch release. The downstream projects won't be able to keep up with that. It's ok to remove it from the wso2server.sh, but the code need to honor the "org.wso2.ignoreHostnameVerification" property IMO. Without that, all downstream components that handled the above property, puppet scripts, custom scripts such as *integrator.sh* have to be modified! [1] https://stackoverflow.com/a/5297100/388714 Thanks, Kasun On Thu, Aug 17, 2017 at 3:22 PM, Vidura Nanayakkara <[email protected]> wrote: > Hi, > > On Thu, Aug 17, 2017 at 7:49 AM, Chandana Napagoda <[email protected]> > wrote: > >> Hi >> >> Could you please point the fix you have made to address this issue? >> > > As Shariq mentioned, *org.wso2.ignoreHostnameVerification *property was > removed from Kernel 4.4.17 onwards. With PR [1], commons-httpclient library > coming from kernel will handle host name verification by itself. The > property *org.wso2.ignoreHostnameVerification* is replaced by > *httpclient.hostnameVerifier*. The possible values for > *httpclient.hostnameVerifier *is as described below: > > - DefaultAndLocalhost - Verify host name without being strict with > sub-domains (*.foo.com is allowed to match with a.b.foo.com) and also > allow local host > - AllowAll - Allows all hosts > - Strict - Verify all hosts while being strict with sub-domains (*. > foo.com is not allowed to match with a.b.foo.com) > > Example: httpclient.hostnameVerifier="Strict" > > By default, host name verification will happen for all hosts without being > strict with sub-domains (*.foo.com is allowed to match with a.b.foo.com) > > Since host name verification is handled by the commons-httpclient library > coming from the kernel (with PR [1]), other components do not need to worry > about handling host name verification. For instance, handling host name > verification is removed from the jaggery component in PR [2]. > > [1] https://github.com/wso2/wso2-commons-httpclient/pull/5 > [2] https://github.com/wso2/jaggery/pull/174/ > > >> >> Regards, >> Chandana >> >> On Thu, Aug 17, 2017 at 7:20 AM, Muhammed Shariq <[email protected]> wrote: >> >>> On Wed, Aug 16, 2017 at 11:45 PM, Kishanthan Thangarajah < >>> [email protected]> wrote: >>> >>>> >>>> >>>> On Wed, Aug 16, 2017 at 9:48 PM, Nuwandi Wickramasinghe < >>>> [email protected]> wrote: >>>> >>>>> Hi all, >>>>> >>>>> With the latest IS pack built with kernel 4.4.17-SNAPSHOT, we can >>>>> successfully turn off the hostname verification with >>>>> *-Dhttpclient.hostnameVerifier=AllowAll*. >>>>> >>>> >>>> What was the original issue? Farasath has followed the same steps (IS >>>> with 4.4.17-SNAPSHOT) and mentioned that the above property was not working >>>> according to the mail above. >>>> >>>> >>>>> Need to do some code changes from Identity Server side to make the >>>>> newly introduced property effective for some components. >>>>> >>>> >>>> What are the code changes? This property is only used in httpclient >>>> coming from kernel. So why changes are required at IS side? >>>> >>> >>> Prior to kernel 4.4.17 there was a property >>> *-Dorg.wso2.ignoreHostnameVerification=true >>> *that was used to disable hostname verification. IINM, the issue here >>> is some components use this property to disable hostname verification, but >>> since it's that property has been removed since 4.4.17 that might be >>> causing some issue, so they are investigating on IS side. >>> >>> Nuwandi / Fara - correct me if I am wrong. >>> >>>> >>>> >>>>> Since no improvement is needed from kernel side, can we please go >>>>> ahead with the kernel 4.4.17 release? >>>>> >>>>> *-Dhttpclient.hostnameVerifier *is only applicable since 4.4.17, but >>>>> our documentation says it's applicable from 4.4.10 ([1]). Better to fix >>>>> the >>>>> documentation as well. Reopened [2] since the doc need to be corrected. >>>>> >>>>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName >>>>> +Verification >>>>> [2] https://wso2.org/jira/browse/DOCUMENTATION-4071 >>>>> >>>>> thanks >>>>> Nuwandi >>>>> >>>>> On Wed, Aug 16, 2017 at 5:39 PM, Farasath Ahamed <[email protected]> >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Aug 15, 2017 at 8:22 PM, Farasath Ahamed <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Tested with Kernel 4.4.16, -Dhttpclient.hostnameVerifier=AllowAll >>>>>>> parameter is honoured and worked fine. >>>>>>> >>>>>> >>>>>> I had an offline discussion with Chandana and Thusitha and go to know >>>>>> that *-Dhttpclient.hostnameVerifier=AllowAll* is not supported in >>>>>> kernel as of now (upto 4.4.16) and will be supported in 4.4.17. >>>>>> Therefore >>>>>> my earlier conclusion saying that kernel 4.4.16 parameter is honoured is >>>>>> incorrect. But our documentation says that we support this from 4.4.11 >>>>>> which need to be corrected immediately :) >>>>>> >>>>>> But going throught the startup script we do have a parameter >>>>>> *-Dorg.wso2.ignoreHostnameVerification=true* in kernel 4.4.16. Did a >>>>>> quick search and this parameter was used in Kernel 4.4.6 to disable >>>>>> hostname verification. Therefore I think that is how I was able to get my >>>>>> scenario working with a hostname without changing certs (ie. turn off >>>>>> hostname verification). >>>>>> >>>>>> But even though we have the necessary fixes to support >>>>>> *-Dhttpclient.hostnameVerifier=AllowAll >>>>>> *in kernel 4.4.17 with commons-httpclient_3.1.0.wso2v6 orbit it >>>>>> doesn't seem to honour the *-Dhttpclient.hostnameVerifier * >>>>>> parameter. >>>>>> >>>>>> I did a quick debug with commons-httpclient_3.1.0.wso2v6 and the >>>>>> method to verify hostname[1] was never hit :( >>>>>> >>>>>> >>>>>> [1] https://github.com/wso2/wso2-commons-httpclient/blob/v3. >>>>>> 1.0-wso2v6/commons-httpclient/src/main/java/org/apache/commo >>>>>> ns/httpclient/protocol/SSLProtocolSocketFactory.java#L286 >>>>>> >>>>>> >>>>>>> >>>>>>> Farasath Ahamed >>>>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>>>> Mobile: +94777603866 >>>>>>> Blog: blog.farazath.com >>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>> <http://wso2.com/signature> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Aug 15, 2017 at 7:58 PM, Harsha Thirimanna <[email protected] >>>>>>> > wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 15 Aug 2017 7:43 pm, "Farasath Ahamed" <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>> Tried to do $subject following [1] on a IS 5.4.0-SNAPSHOT pack with >>>>>>>> kernel 4.4.17-SNAPSHOT. I still see hostname validation errors after >>>>>>>> running the server with, >>>>>>>> -Dhttpclient.hostnameVerifier=AllowAll >>>>>>>> >>>>>>>> >>>>>>>> You don't get this error with the IS pack with kernal 4.4.16 ? >>>>>>>> Could you please check that Farasath ? >>>>>>>> Then we can isolate this. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> [2017-08-15 19:36:52,561] ERROR >>>>>>>> {org.apache.catalina.core.StandardWrapperValve} >>>>>>>> - Servlet.service() for servlet [default] in context with path >>>>>>>> [/authenticationendpoint] threw exception >>>>>>>> java.io.IOException: javax.net.ssl.SSLHandshakeException: >>>>>>>> java.security.cert.CertificateException: No name matching >>>>>>>> idp.wso2.com found >>>>>>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>>>>>>> etWrapper.java:467) >>>>>>>> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServl >>>>>>>> et.java:395) >>>>>>>> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java >>>>>>>> :339) >>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>>> lter(ApplicationFilterChain.java:303) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>>> licationFilterChain.java:208) >>>>>>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >>>>>>>> r.java:52) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>>> lter(ApplicationFilterChain.java:241) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>>> licationFilterChain.java:208) >>>>>>>> at org.apache.catalina.core.ApplicationDispatcher.invoke(Applic >>>>>>>> ationDispatcher.java:743) >>>>>>>> at org.apache.catalina.core.ApplicationDispatcher.processReques >>>>>>>> t(ApplicationDispatcher.java:485) >>>>>>>> at org.apache.catalina.core.ApplicationDispatcher.doForward(App >>>>>>>> licationDispatcher.java:410) >>>>>>>> at org.apache.catalina.core.ApplicationDispatcher.forward(Appli >>>>>>>> cationDispatcher.java:337) >>>>>>>> at org.wso2.carbon.identity.application.authentication.endpoint >>>>>>>> .util.filter.AuthenticationEndpointFilter.doFilter(Authentic >>>>>>>> ationEndpointFilter.java:161) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>>> lter(ApplicationFilterChain.java:241) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>>> licationFilterChain.java:208) >>>>>>>> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte >>>>>>>> r(HttpHeaderSecurityFilter.java:124) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>>> lter(ApplicationFilterChain.java:241) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>>> licationFilterChain.java:208) >>>>>>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >>>>>>>> dWrapperValve.java:218) >>>>>>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar >>>>>>>> dContextValve.java:110) >>>>>>>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A >>>>>>>> uthenticatorBase.java:506) >>>>>>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >>>>>>>> stValve.java:169) >>>>>>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >>>>>>>> rtValve.java:103) >>>>>>>> at org.wso2.carbon.identity.context.rewrite.valve.TenantContext >>>>>>>> RewriteValve.invoke(TenantContextRewriteValve.java:80) >>>>>>>> at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invo >>>>>>>> ke(AuthorizationValve.java:91) >>>>>>>> at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invo >>>>>>>> ke(AuthenticationValve.java:60) >>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInv >>>>>>>> ocation(CompositeValve.java:99) >>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke >>>>>>>> (CarbonTomcatValve.java:47) >>>>>>>> at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(Tena >>>>>>>> ntLazyLoaderValve.java:57) >>>>>>>> at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invok >>>>>>>> eValves(TomcatValveContainer.java:47) >>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(Comp >>>>>>>> ositeValve.java:62) >>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetection >>>>>>>> Valve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>>>>>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogVa >>>>>>>> lve.java:962) >>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve. >>>>>>>> invoke(CarbonContextCreatorValve.java:57) >>>>>>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >>>>>>>> EngineValve.java:116) >>>>>>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >>>>>>>> apter.java:445) >>>>>>>> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs >>>>>>>> tractHttp11Processor.java:1115) >>>>>>>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler >>>>>>>> .process(AbstractProtocol.java:637) >>>>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>>>>>>> (NioEndpoint.java:1770) >>>>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(N >>>>>>>> ioEndpoint.java:1729) >>>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>>>> Executor.java:1142) >>>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>>>> lExecutor.java:617) >>>>>>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.r >>>>>>>> un(TaskThread.java:61) >>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>>>>>> java.security.cert.CertificateException: No name matching >>>>>>>> idp.wso2.com found >>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >>>>>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>>>>>> ndshaker.java:1514) >>>>>>>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands >>>>>>>> haker.java:216) >>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) >>>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) >>>>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java >>>>>>>> :1062) >>>>>>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo >>>>>>>> cketImpl.java:1375) >>>>>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>>>>>> java:1403) >>>>>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>>>>>> java:1387) >>>>>>>> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsCli >>>>>>>> ent.java:559) >>>>>>>> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnectio >>>>>>>> n.connect(AbstractDelegateHttpsURLConnection.java:185) >>>>>>>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Ht >>>>>>>> tpsURLConnectionImpl.java:153) >>>>>>>> at org.apache.jsp.login_jsp._jspService(login_jsp.java:777) >>>>>>>> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.ja >>>>>>>> va:70) >>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>>>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>>>>>>> etWrapper.java:439) >>>>>>>> ... 44 more >>>>>>>> Caused by: java.security.cert.CertificateException: No name >>>>>>>> matching idp.wso2.com found >>>>>>>> at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.j >>>>>>>> ava:221) >>>>>>>> at sun.security.util.HostnameChecker.match(HostnameChecker.java:95) >>>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>>>>>>> tManagerImpl.java:455) >>>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>>>>>>> tManagerImpl.java:436) >>>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust >>>>>>>> ManagerImpl.java:200) >>>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50 >>>>>>>> 9TrustManagerImpl.java:124) >>>>>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>>>>>> ndshaker.java:1496) >>>>>>>> ... 58 more >>>>>>>> >>>>>>>> >>>>>>>> Is the information in [1] still valid? >>>>>>>> >>>>>>>> Chandana pointed out there has been a http client version upgrade >>>>>>>> in Kernel 4.4.17. Could this be a reason for this? >>>>>>>> >>>>>>>> >>>>>>>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName >>>>>>>> +Verification >>>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Farasath Ahamed >>>>>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>>>>> Mobile: +94777603866 >>>>>>>> Blog: blog.farazath.com >>>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Dev mailing list >>>>>>>> [email protected] >>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> [email protected] >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Best Regards, >>>>> >>>>> Nuwandi Wickramasinghe >>>>> >>>>> Software Engineer >>>>> >>>>> WSO2 Inc. >>>>> >>>>> Web : http://wso2.com >>>>> >>>>> Mobile : 0719214873 <071%20921%204873> >>>>> >>>> >>>> >>>> >>>> -- >>>> *Kishanthan Thangarajah* >>>> Technical Lead, >>>> Platform Technologies Team, >>>> WSO2, Inc. >>>> lean.enterprise.middleware >>>> >>>> Mobile - +94773426635 <+94%2077%20342%206635> >>>> Blog - *http://kishanthan.wordpress.com >>>> <http://kishanthan.wordpress.com>* >>>> Twitter - *http://twitter.com/kishanthan >>>> <http://twitter.com/kishanthan>* >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Thanks, >>> Shariq >>> Associate Technical Lead >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> *Chandana Napagoda* >> Associate Technical Lead >> WSO2 Inc. - http://wso2.org >> >> *Email : [email protected] <[email protected]>**Mobile : +94718169299 >> <+94%2071%20816%209299>* >> >> *Blog : http://blog.napagoda.com <http://blog.napagoda.com> | >> http://chandana.napagoda.com <http://chandana.napagoda.com>* >> >> *Linkedin : http://www.linkedin.com/in/chandananapagoda >> <http://www.linkedin.com/in/chandananapagoda>* >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > Best Regards, > Vidura Nanayakkara > > -- > Best Regards, > > *Vidura Nanayakkara* > Software Engineer > > Email : [email protected] > Mobile : +94 (0) 717 919277 <071%20791%209277> > Web : http://wso2.com > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. email: kasung AT spamfree wso2.com linked-in: http://lk.linkedin.com/in/gajasinghe blog: http://kasunbg.org phone: +1 650-745-4499, 77 678 0813
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
