Hi,
I am using the CXF library (version 3.0.7) to communicate with SSL protected
web service end points inside my organisation. However when I try and connect
to them I am getting an error message due to hostname verification. I have
looked into the code and I have identified the failure is being caused by the
check on the result of the "countDots" method as follows:
if (strict && countDots(identity) != countDots(domainRoot)) {
return false;
}
In my case the identify variable follows this pattern:
hostname.windows_domain.my_company.com
The domainRoot variable follows this pattern:
.my_company.com
The failure is happening because the former contains 3 dots and the latter
contains just 2.
Is there any way I can prevent it from performing the strict check, and not
take this code path?
My stack trace is as follows:
DefaultHostnameVerifier.matchIdentity(String, String, PublicSuffixMatcher,
Boolean) line:182
DefaultHostnameVerifier.matchIdentityStrict(String, String,
PublicSuffixMatcher) line: 241
DefaultHostnameVerifier.matchDNSName(String, List<String>,
PublicSuffixMatcher) line: 148
DefaultHostnameVerifier.verify(String, X509Certificate) line: 103
DefaultHostnameVerifier.verify(String, SSLSession) line: 81
AsyncHTTPConduit$AsyncWrappedOutputStream$5.verifySession(HttpHost,
IOSession, SSLSession) line: 536
SSLIOSessionStrategy$1.verify(IOSession, SSLSession) line: 140
As you can see the Boolean for the strict checked is not something I seem to
have any control over as the "matchIdentityStrict" method is called by
"matchDNSName" directly.
Regards,
Tom
