========
Problem: " server certificate change is restricted during renegotiation"
========
javax.xml.ws.soap.SOAPFaultException: Marshalling Error: server certificate
change is restricted during renegotiation -- Unable to make connection to ECPR
getCustomerInformation201205 WebService -- stack trace=
com.wellsfargo.launchpad.exceptions.SystemException
at
com.wellsfargo.ebs.framework.fault.SystemFaultHelper.getFault(SystemFaultHelper.java:40)
at
com.wellsfargo.ebs.rewards.account.dao.EcprDAOImpl.getCustomerInformation(EcprDAOImpl.java:102)
at
com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsWorkingModel.updateRewardsAccountInfoWithDetailsFromECPR(GetRewardsDetailsWorkingModel.java:644)
at
com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsService.executePOIRequest(GetRewardsDetailsService.java:227)
at
com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsService.getRewardsDetails(GetRewardsDetailsService.java:121)
at
com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsService.getRewardsDetails201311(GetRewardsDetailsService.java:92)
at
com.wellsfargo.service.provider.ebs.rewards201311.EBSRewardsPortTypeImpl.getRewardsDetails(EBSRewardsPortTypeImpl.java:49)
at sun.reflect.GeneratedMethodAccessor133.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at
org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
at
org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
at
org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.invoke(AbstractJAXWSMethodInvoker.java:178)
at
com.wellsfargo.ebs.framework.cxf.ServiceWorxJAXWSMethodInvoker.invoke(ServiceWorxJAXWSMethodInvoker.java:114)
at
org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:75)
at
org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
at
org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
.......................
=========
The Cause:
=========
Java recently fixed a Triple Handshake Attack problem.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6457
by checking EndpointIdentificationAlgorithm (see sun.security.ssl.
ClientHandshaker.java (Java 7u72 or after)
Here is the change.
.............
if (this.reservedServerCerts != null)
{
localObject = getEndpointIdentificationAlgorithmSE();
if (( (localObject == null) || (((String)localObject).length() == 0) )
&& (!isIdentityEquivalent(arrayOfX509Certificate[0],
this.reservedServerCerts[0])))
{
fatalSE(42, "server certificate change is restrictedduring
renegotiation");
}
}
...............
As you see, if EndpointIdentificationAlgorithm of SSL socket does not set, it
will throw "server certificate change is restrictedduring renegotiation" error
at some condition (e.g. Server uses multiple SSL certificates).
Sun HttpsURLConnection set EndpointIdentificationAlgorithm = "HTTPS" if you do
not use Custom Hostname Verifier.
See Case 2.
http://www.docjar.net/html/api/sun/net/www/protocol/https/HttpsClient.java.html.
Using HttpsURLConnection with default Hostname Verifier will not have this
error because of EndpointIdentificationAlgorithm = "HTTPS". (note: This is
also proved by testing)
Sun HttpsURLConnection used by Apache CXF Http Transport uses Custom Hostname
Verifier. As a result, EndpointIdentificationAlgorithm = null. See Case 4.
http://www.docjar.net/html/api/sun/net/www/protocol/https/HttpsClient.java.html,
which caused " server certificate change is restricted during renegotiation"
exception.
Note: "server certificate change is restricted during renegotiation" error only
happens while SSL Clients are accessing URL which uses multiple SSL
certificates due to load balance (e.g. F5). This is a complicated SSL topic
and we do not need to discuss root cause and its solutions because there are
many options.
========
Question:
========
As we know, setting EndpointIdentificationAlgorithm="HTTPS" is one of
solutions. (perfect solution requires doing Endpoint Identification work at TLS
layer).
Besides using custom SSL Factory to set SSL Socket
EndpointIdentificationAlgorithm, is there an easy way (or tip) to Set SSL
Socket EndpointIdentificationAlgorithm to be "HTTPS" in Apache CXF HTTP
Transport
Thanks in advance
Ed
