Ok, I enabled SSL. I have attached the trace here.
You will notice that the server is sending an expired cert with a CommonName
that does not match. It does this because the client is not supporting SNI. If
the client supported SNI in the request, it would get back a valid cert. I have
verified this by using openssl.
$ openssl s_client -connect thecascadeteam.com:443 -CApath /etc/ssl/certs/
-verify 3 </dev/null
vs
$ openssl s_client -servername thecascadeteam.com -connect
thecascadeteam.com:443 -CApath /etc/ssl/certs/ -verify 3 </dev/null
Here is the java ssl trace...
--
2014-09-16 14:11:35,534 DEBUG
[org.apache.http.client.protocol.RequestAddCookies] CookieSpec selected:
best-match
2014-09-16 14:11:35,542 DEBUG
[org.apache.http.client.protocol.RequestAuthCache] Auth cache not set in the
context
2014-09-16 14:11:35,543 DEBUG
[org.apache.http.impl.conn.PoolingHttpClientConnectionManager] Connection
request: [route: {s}->https://thecascadeteam.com:443][total kept alive: 0;
route allocated: 0 of 2; t
otal allocated: 0 of 20]
2014-09-16 14:11:35,555 DEBUG
[org.apache.http.impl.conn.PoolingHttpClientConnectionManager] Connection
leased: [id: 0][route: {s}->https://thecascadeteam.com:443][total kept alive:
0; route allocated: 1 o
f 2; total allocated: 1 of 20]
2014-09-16 14:11:35,557 DEBUG [org.apache.http.impl.execchain.MainClientExec]
Opening connection {s}->https://thecascadeteam.com:443
2014-09-16 14:11:35,561 DEBUG
[org.apache.http.impl.conn.HttpClientConnectionOperator] Connecting to
thecascadeteam.com/67.192.9.195:443
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1410836103 bytes = { 53, 159, 40, 146, 236, 242, 175, 2,
166, 3, 9, 55, 226, 31, 234, 169, 19, 210, 40, 218, 171, 35, 143, 184, 100,
158, 235, 34 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1410836327 bytes = { 198, 77, 174, 100, 73, 26, 132, 180,
245, 186, 47, 22, 55, 16, 198, 23, 59, 170, 128, 5, 218, 201, 155, 25, 251,
144, 121, 72 }
Session ID: {22, 217, 38, 43, 7, 55, 250, 251, 55, 24, 226, 93, 181, 78, 236,
75, 124, 171, 133, 232, 25, 243, 11, 17, 91, 17, 188, 189, 57, 110, 141, 7}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
main, READ: TLSv1 Handshake, length = 961
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: [email protected], CN=Parallels Panel, OU=Parallels
Panel, O=Parallels, L=Herndon, ST=Virginia, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus:
22994848279003529171322105433938759692822368732063903858368610748237449317173695122042003543720092746063068746474747884306012432118319515853223774859373616146120409956200887652475628189917992056313693430544210353036408390857370759005878081225289165354730634374570719587192535639763296254739754725160784306213910726454521387775388272582309040417978045387494996137933929788285594968884535129242018182621780947121544427423338488946335683351244045300489225415934921014022147851916526797101050369604962368275336285529959135638317876855822130673248503921048649567555227883256430711156119763110383403686414663712772558427109
public exponent: 65537
Validity: [From: Thu Apr 04 13:53:59 PDT 2013,
To: Fri Apr 04 13:53:59 PDT 2014]
Issuer: [email protected], CN=Parallels Panel, OU=Parallels
Panel, O=Parallels, L=Herndon, ST=Virginia, C=US
SerialNumber: [ 515de867]
]
Algorithm: [SHA1withRSA]
Signature:
--
On Tuesday, September 16, 2014 2:08 AM, Oleg Kalnichevski <[email protected]>
wrote:
On Mon, 2014-09-15 at 14:36 -0700, Feroze Daud wrote:
> hi!
>
> We are using httpcomponents v 4.3.5. Last year there was a bug on the topic
> of supporting SNI on JDK7, and a patch was made in late december. The ship
> vehicle for the patch was 4.3.2.
>
> However, I cannot find any example that shows how to enable this for the http
> client.
>
> Please point me to some info. I can volunteer to fix the documentation with
> the details so that it might help others in the future.
>
> Thanks.
Feroze,
SNI should work completely transparently when running on Java 1.7 or
newer. No configuration is required. If for whatever reason SSL
handshake with SNI enabled server fails you should be able to find out
why (and whether or not the SNI extension was properly employed) by
turning on SSL debug logging as described here
http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug
Oleg
