[jira] [Comment Edited] (CAMEL-19856) NoopHostnameVerifier seems to not working any longer

[Gerald Kallas (Jira)]

    [ 
https://issues.apache.org/jira/browse/CAMEL-19856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776578#comment-17776578
 ] 

Gerald Kallas edited comment on CAMEL-19856 at 10/18/23 9:44 AM:
-----------------------------------------------------------------

Find attached the DEBUG log
{code:java}
2023-10-18T09:34:00,433 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #8 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Connecting socket to 
xxx.eu-central-1.compute.amazonaws.com/10.0.0.6:8446 with timeout 0
2023-10-18T09:34:00,435 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #8 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Enabled protocols: [TLSv1.3, TLSv1.2]
2023-10-18T09:34:00,436 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #8 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Enabled cipher suites:[TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDH_RS
2023-10-18T09:34:00,436 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #8 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Starting handshake
2023-10-18T09:34:00,478 | ERROR | Camel 
(isp.route.system.deployment.service.scheduler) thread #8 - 
timer://isp.route.system.deployment.service.scheduler | DefaultErrorHandler     
         | 91 - org.apache.camel.camel-core-reifier - 3.20.2 | Failed delivery 
for (MessageId: 96246179F423722-0000000000000000 on ExchangeId: 
96246179F423722-0000000000000000). Exhausted after delivery attempt: 1 caught: 
javax.net.ssl.SSLHandshakeException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target\n\nMessage History (source 
location and message history is 
disabled)\n------------------------------------------------------------------------------------------
javax.net.ssl.SSLHandshakeException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target {code}
In the case that a certificate is available the log shows
{code:java}
2023-10-18T09:38:50,803 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Connecting socket to 
xxx.eu-central-1.compute.amazonaws.com/10.0.0.6:8446 with timeout 0
2023-10-18T09:38:50,805 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Enabled protocols: [TLSv1.3, TLSv1.2]
2023-10-18T09:38:50,806 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Enabled cipher suites:[TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDH_RS
2023-10-18T09:38:50,806 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Starting handshake
2023-10-18T09:38:50,829 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Secure session established
2023-10-18T09:38:50,830 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 |  negotiated protocol: TLSv1.3
2023-10-18T09:38:50,830 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 |  negotiated cipher suite: TLS_AES_128_GCM_SHA256
2023-10-18T09:38:50,830 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 |  peer principal: CN=yyy.eu-central-1.compute.amazonaws.com, O=CAS AG, 
L=Default City, C=DE
2023-10-18T09:38:50,830 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 |  issuer principal: CN=yyy.eu-central-1.compute.amazonaws.com, O=CAS 
AG, L=Default City, C=DE
2023-10-18T09:38:50,833 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | DefaultHostnameVerifier 
         | 152 - org.apache.httpcomponents.httpclient - 4.5.13 | Certificate 
for <xxx.eu-central-1.compute.amazonaws.com> doesn't match common name of the 
certificate subject: yyy.eu-central-1.compute.amazonaws.com
javax.net.ssl.SSLPeerUnverifiedException: Certificate for 
<yyy.eu-central-1.compute.amazonaws.com> doesn't match common name of the 
certificate subject: xxx.eu-central-1.compute.amazonaws.com {code}
Does that mean in the current version that
 * the server / root certificate of the server to be trusted MUST be contained 
at least in the system's or runtime's truststore?
 * a general SSL verification can't be disabled at all? (in former Camel 
versions the noopHostnameVerifier did this)

 


was (Author: catshout):
Find attached the DEBUG log

 
{code:java}
2023-10-18T09:34:00,433 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #8 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Connecting socket to 
xxx.eu-central-1.compute.amazonaws.com/10.0.0.6:8446 with timeout 0
2023-10-18T09:34:00,435 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #8 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Enabled protocols: [TLSv1.3, TLSv1.2]
2023-10-18T09:34:00,436 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #8 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Enabled cipher suites:[TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDH_RS
2023-10-18T09:34:00,436 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #8 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Starting handshake
2023-10-18T09:34:00,478 | ERROR | Camel 
(isp.route.system.deployment.service.scheduler) thread #8 - 
timer://isp.route.system.deployment.service.scheduler | DefaultErrorHandler     
         | 91 - org.apache.camel.camel-core-reifier - 3.20.2 | Failed delivery 
for (MessageId: 96246179F423722-0000000000000000 on ExchangeId: 
96246179F423722-0000000000000000). Exhausted after delivery attempt: 1 caught: 
javax.net.ssl.SSLHandshakeException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target\n\nMessage History (source 
location and message history is 
disabled)\n------------------------------------------------------------------------------------------
javax.net.ssl.SSLHandshakeException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target {code}
In the case that a certificate is available the log shows

 

 
{code:java}
2023-10-18T09:38:50,803 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Connecting socket to 
xxx.eu-central-1.compute.amazonaws.com/10.0.0.6:8446 with timeout 0
2023-10-18T09:38:50,805 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Enabled protocols: [TLSv1.3, TLSv1.2]
2023-10-18T09:38:50,806 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Enabled cipher suites:[TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDH_RS
2023-10-18T09:38:50,806 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Starting handshake
2023-10-18T09:38:50,829 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 | Secure session established
2023-10-18T09:38:50,830 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 |  negotiated protocol: TLSv1.3
2023-10-18T09:38:50,830 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 |  negotiated cipher suite: TLS_AES_128_GCM_SHA256
2023-10-18T09:38:50,830 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 |  peer principal: CN=yyy.eu-central-1.compute.amazonaws.com, O=CAS AG, 
L=Default City, C=DE
2023-10-18T09:38:50,830 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | 
SSLConnectionSocketFactory       | 152 - org.apache.httpcomponents.httpclient - 
4.5.13 |  issuer principal: CN=yyy.eu-central-1.compute.amazonaws.com, O=CAS 
AG, L=Default City, C=DE
2023-10-18T09:38:50,833 | DEBUG | Camel 
(isp.route.system.deployment.service.scheduler) thread #10 - 
timer://isp.route.system.deployment.service.scheduler | DefaultHostnameVerifier 
         | 152 - org.apache.httpcomponents.httpclient - 4.5.13 | Certificate 
for <xxx.eu-central-1.compute.amazonaws.com> doesn't match common name of the 
certificate subject: yyy.eu-central-1.compute.amazonaws.com
javax.net.ssl.SSLPeerUnverifiedException: Certificate for 
<yyy.eu-central-1.compute.amazonaws.com> doesn't match common name of the 
certificate subject: xxx.eu-central-1.compute.amazonaws.com {code}
 

Does that mean in the current version that
 * the server / root certificate of the server to be trusted MUST be contained 
at least in the system's or runtime's truststore?
 * a general SSL verification can't be disabled at all? (in former Camel 
versions the noopHostnameVerifier did this)

 

> NoopHostnameVerifier seems to not working any longer
> ----------------------------------------------------
>
>                 Key: CAMEL-19856
>                 URL: https://issues.apache.org/jira/browse/CAMEL-19856
>             Project: Camel
>          Issue Type: Bug
>          Components: camel-http4
>    Affects Versions: 3.20.2
>            Reporter: Gerald Kallas
>            Priority: Minor
>
> we had a code (XML DSL) that was already working to skip SSL hostname 
> validation like
> {code:java}
> <bean id="noopHostnameVerifier" 
> class="org.apache.http.conn.ssl.NoopHostnameVerifier"/>
> ...
> <to 
> uri='https://server/api/v1/entity/integrationservice/delta?x509HostnameVerifier=noopHostnameVerifier'/>{code}
> It's not working anymore, getting
>  
> {code:java}
> javax.net.ssl.SSLHandshakeException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target  {code}
> I tried also
>  
> {code:java}
> <to 
> uri='https://server/api/v1/entity/integrationservice/delta?x509HostnameVerifier=#noopHostnameVerifier'/>{code}
> same error.
>  
> The underlying Java (within a Docker containe) is
>  
> {code:java}
> openjdk version "11.0.11" 2021-04-20 OpenJDK Runtime Environment 
> AdoptOpenJDK-11.0.11+9 (build 11.0.11+9) OpenJDK 64-Bit Server VM 
> AdoptOpenJDK-11.0.11+9 (build 11.0.11+9, mixed mode){code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)