Hi Ed, I'm a little confused by one detail of your post. Apache CXF uses a custom HostnameVerifier. According to one of the links you provided, this falls under:
"case 4. non-default HNV and EIA is null No EIA, no EIA check done in SSL/TLS layer, then do HTTPS check in HTTPS layer using HNV as override." If no EIA check is done in the SSL/TLS layer for this scenario, then how are you running into the "server certificate change is restrictedduring renegotiation" error? Colm. On Tue, Apr 21, 2015 at 4:33 PM, <[email protected]> wrote: > ======== > Problem: " server certificate change is restricted during renegotiation" > ======== > javax.xml.ws.soap.SOAPFaultException: Marshalling Error: server > certificate change is restricted during renegotiation -- Unable to make > connection to ECPR getCustomerInformation201205 WebService -- stack trace= > com.wellsfargo.launchpad.exceptions.SystemException > at > com.wellsfargo.ebs.framework.fault.SystemFaultHelper.getFault(SystemFaultHelper.java:40) > at > com.wellsfargo.ebs.rewards.account.dao.EcprDAOImpl.getCustomerInformation(EcprDAOImpl.java:102) > at > com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsWorkingModel.updateRewardsAccountInfoWithDetailsFromECPR(GetRewardsDetailsWorkingModel.java:644) > at > com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsService.executePOIRequest(GetRewardsDetailsService.java:227) > at > com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsService.getRewardsDetails(GetRewardsDetailsService.java:121) > at > com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsService.getRewardsDetails201311(GetRewardsDetailsService.java:92) > at > com.wellsfargo.service.provider.ebs.rewards201311.EBSRewardsPortTypeImpl.getRewardsDetails(EBSRewardsPortTypeImpl.java:49) > at sun.reflect.GeneratedMethodAccessor133.invoke(Unknown > Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:483) > at > org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180) > at > org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) > at > org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.invoke(AbstractJAXWSMethodInvoker.java:178) > at > com.wellsfargo.ebs.framework.cxf.ServiceWorxJAXWSMethodInvoker.invoke(ServiceWorxJAXWSMethodInvoker.java:114) > at > org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:75) > at > org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37) > at > org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239) > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) > ....................... > > ========= > The Cause: > ========= > Java recently fixed a Triple Handshake Attack problem. > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6457 > by checking EndpointIdentificationAlgorithm (see sun.security.ssl. > ClientHandshaker.java (Java 7u72 or after) > Here is the change. > ............. > if (this.reservedServerCerts != null) > { > localObject = getEndpointIdentificationAlgorithmSE(); > if (( (localObject == null) || (((String)localObject).length() == > 0) ) && (!isIdentityEquivalent(arrayOfX509Certificate[0], > this.reservedServerCerts[0]))) > { > fatalSE(42, "server certificate change is restrictedduring > renegotiation"); > } > } > ............... > > As you see, if EndpointIdentificationAlgorithm of SSL socket does not set, > it will throw "server certificate change is restrictedduring renegotiation" > error at some condition (e.g. Server uses multiple SSL certificates). > > Sun HttpsURLConnection set EndpointIdentificationAlgorithm = "HTTPS" if > you do not use Custom Hostname Verifier. > See Case 2. > http://www.docjar.net/html/api/sun/net/www/protocol/https/HttpsClient.java.html. > Using HttpsURLConnection with default Hostname Verifier will not have this > error because of EndpointIdentificationAlgorithm = "HTTPS". (note: This is > also proved by testing) > > Sun HttpsURLConnection used by Apache CXF Http Transport uses Custom > Hostname Verifier. As a result, EndpointIdentificationAlgorithm = null. See > Case 4. > http://www.docjar.net/html/api/sun/net/www/protocol/https/HttpsClient.java.html, > which caused " server certificate change is restricted during > renegotiation" exception. > > Note: "server certificate change is restricted during renegotiation" error > only happens while SSL Clients are accessing URL which uses multiple SSL > certificates due to load balance (e.g. F5). This is a complicated SSL > topic and we do not need to discuss root cause and its solutions because > there are many options. > > ======== > Question: > ======== > As we know, setting EndpointIdentificationAlgorithm="HTTPS" is one of > solutions. (perfect solution requires doing Endpoint Identification work at > TLS layer). > > Besides using custom SSL Factory to set SSL Socket > EndpointIdentificationAlgorithm, is there an easy way (or tip) to Set SSL > Socket EndpointIdentificationAlgorithm to be "HTTPS" in Apache CXF HTTP > Transport > > Thanks in advance > > Ed > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
