[
https://issues.apache.org/jira/browse/CXF-9012?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17894607#comment-17894607
]
Freeman Yue Fang commented on CXF-9012:
---------------------------------------
Hi [~bocamel],
This is because in CXF 4.0.4, the default client conduit is
HttpClientHTTPConduit which uses in-JDK client, and this in-JDK HTTP Client API
deliberately does not provide such an API point to disable CN check(by adding a
hostname verifier). You can get more details from
https://bugs.openjdk.org/browse/JDK-8213309
And for the test purpose, you can now set System Property
jdk.internal.httpclient.disableHostnameVerification to get such behavior.
Best Regards
Freeman
> tlsClientParameters disableCNCheck="true" no effect after migrating to CXF
> 4.0.4
> --------------------------------------------------------------------------------
>
> Key: CXF-9012
> URL: https://issues.apache.org/jira/browse/CXF-9012
> Project: CXF
> Issue Type: Bug
> Components: JAX-WS Runtime
> Affects Versions: 4.0.4
> Environment: Windows Server 2016, CXF 4.0.4 under SpringBoot 3.1.9,
> JDK 17.
> Reporter: John Yin
> Assignee: Freeman Yue Fang
> Priority: Major
>
> After migrating to 4.0.4, tlsClientParameters disableCNCheck="true" no longer
> has any effect. When calling an endpoint with IP address that does not match
> with the certificate CN, received the following exception. Adding
> useHttpsURLConnectionDefaultHostnameVerifier="false" explicitly did not help.
> The code worked fine with CXF 3.5.6.
> {code:java}
> java.security.cert.CertificateException: No subject alternative names
> matching IP address 204.138.115.21 found
> at
> java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:165)
> at
> java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:101)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:458)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:432)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:292)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
> at
> java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
> [wrapped] javax.net.ssl.SSLHandshakeException: No subject alternative names
> matching IP address 204.138.115.21 found
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
> at
> java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
> at
> java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
> at
> java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
> at
> java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
> at
> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
> at
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
> at
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
> at
> java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
> at
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
> at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
> at
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.lambda$executeTasks$3(SSLFlowDelegate.java:1118)
> at
> java.net.http/jdk.internal.net.http.HttpClientImpl$DelegatingExecutor.execute(HttpClientImpl.java:157)
> at
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.executeTasks(SSLFlowDelegate.java:1113)
> at
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.doHandshake(SSLFlowDelegate.java:1079)
> at
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader.processData(SSLFlowDelegate.java:484)
> at
> java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader$ReaderDownstreamPusher.run(SSLFlowDelegate.java:268)
> at
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$LockingRestartableTask.run(SequentialScheduler.java:205)
> at
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:149)
> at
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$TryEndDeferredCompleter.complete(SequentialScheduler.java:347)
> at
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:151)
> at
> java.net.http/jdk.internal.net.http.common.SequentialScheduler$SchedulableTask.run(SequentialScheduler.java:230)
> at
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
> at
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
> at java.base/java.lang.Thread.run(Thread.java:840)
> [wrapped] org.apache.cxf.interceptor.Fault: Could not send Message.
> at
> org.apache.cxf.transport.http.HttpClientHTTPConduit$HttpClientWrappedOutputStream.isConnectionAttemptCompleted(HttpClientHTTPConduit.java:619)
> at
> org.apache.cxf.transport.http.HttpClientHTTPConduit$HttpClientPipedOutputStream.canWrite(HttpClientHTTPConduit.java:379)
> at
> org.apache.cxf.transport.http.HttpClientHTTPConduit$HttpClientPipedOutputStream.write(HttpClientHTTPConduit.java:389)
> at
> org.apache.cxf.io.CacheAndWriteOutputStream.write(CacheAndWriteOutputStream.java:81)
> at
> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:51)
> at
> org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
> at
> org.apache.cxf.io.CacheAndWriteOutputStream.write(CacheAndWriteOutputStream.java:81)
> at
> org.apache.cxf.io.CacheAndWriteOutputStream.write(CacheAndWriteOutputStream.java:81)
> at
> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:51)
> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
> at
> com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:242)
> at
> com.ctc.wstx.sw.BufferingXmlWriter.close(BufferingXmlWriter.java:215)
> at
> com.ctc.wstx.sw.BaseStreamWriter._finishDocument(BaseStreamWriter.java:1478)
> at
> com.ctc.wstx.sw.BaseStreamWriter.writeEndDocument(BaseStreamWriter.java:550)
> at
> org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor$SoapOutEndingInterceptor.handleMessage(SoapOutInterceptor.java:307)
> at
> org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor$SoapOutEndingInterceptor.handleMessage(SoapOutInterceptor.java:294)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:434)
> at
> org.apache.camel.component.cxf.jaxws.CxfProducer.process(CxfProducer.java:120)
> at
> org.apache.camel.processor.SendProcessor.process(SendProcessor.java:210)
> at
> org.apache.camel.processor.errorhandler.NoErrorHandler.process(NoErrorHandler.java:46)
> at
> org.apache.camel.impl.engine.CamelInternalProcessor.processNonTransacted(CamelInternalProcessor.java:354)
> at
> org.apache.camel.impl.engine.CamelInternalProcessor.process(CamelInternalProcessor.java:330)
> at
> org.apache.camel.processor.Pipeline$PipelineTask.run(Pipeline.java:102)
> at
> org.apache.camel.impl.engine.DefaultReactiveExecutor$Worker.doRun(DefaultReactiveExecutor.java:199)
> at
> org.apache.camel.impl.engine.DefaultReactiveExecutor$Worker.executeReactiveWork(DefaultReactiveExecutor.java:189)
> at
> org.apache.camel.impl.engine.DefaultReactiveExecutor$Worker.tryExecuteReactiveWork(DefaultReactiveExecutor.java:166)
> at
> org.apache.camel.impl.engine.DefaultReactiveExecutor$Worker.schedule(DefaultReactiveExecutor.java:148)
> at
> org.apache.camel.impl.engine.DefaultReactiveExecutor.scheduleMain(DefaultReactiveExecutor.java:59)
> at org.apache.camel.processor.Pipeline.process(Pipeline.java:163)
> at
> org.apache.camel.impl.engine.CamelInternalProcessor.processNonTransacted(CamelInternalProcessor.java:354)
> at
> org.apache.camel.impl.engine.CamelInternalProcessor.process(CamelInternalProcessor.java:330)
> at
> org.apache.camel.component.timer.TimerConsumer.sendTimerExchange(TimerConsumer.java:293)
> at
> org.apache.camel.component.timer.TimerConsumer$1.doRun(TimerConsumer.java:164)
> at
> org.apache.camel.component.timer.TimerConsumer$1.run(TimerConsumer.java:136)
> at java.base/java.util.TimerThread.mainLoop(Timer.java:566)
> at java.base/java.util.TimerThread.run(Timer.java:516) {code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
