Hi Colm, Unfortunately I am tied into that version. The application I am working on is vendor provided, with extension points that allow me to enhance the functionality. I am extending their existing web service client implementation which is using that version of the CXF library. From when I spoke to them last it is unlikely they will be willing to upgrade this any time soon due to the possibility of undesirable knock-on effects.
Regards, Tom -----Original Message----- From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Tuesday, June 06, 2017 10:23 AM To: [email protected] Subject: [EXTERNAL] Re: Failing hostname verification for SSL connections with subdomain in URL Could you try with a more recent version of CXF than 3.0.7? I have a feel that issue was subsequently fixed. Colm. On Fri, Jun 2, 2017 at 12:06 PM, Thomas Wilkin <[email protected]> wrote: > Hi, > > I am using the CXF library (version 3.0.7) to communicate with SSL > protected web service end points inside my organisation. However when > I try and connect to them I am getting an error message due to > hostname verification. I have looked into the code and I have > identified the failure is being caused by the check on the result of > the "countDots" method as > follows: > if (strict && countDots(identity) != countDots(domainRoot)) { > return false; > } > > In my case the identify variable follows this pattern: > hostname.windows_domain.my_company.com > The domainRoot variable follows this pattern: > .my_company.com > The failure is happening because the former contains 3 dots and the > latter contains just 2. > > Is there any way I can prevent it from performing the strict check, > and not take this code path? > My stack trace is as follows: > DefaultHostnameVerifier.matchIdentity(String, String, > PublicSuffixMatcher, Boolean) line:182 > DefaultHostnameVerifier.matchIdentityStrict(String, String, > PublicSuffixMatcher) line: 241 > DefaultHostnameVerifier.matchDNSName(String, List<String>, > PublicSuffixMatcher) line: 148 > DefaultHostnameVerifier.verify(String, X509Certificate) line: 103 > DefaultHostnameVerifier.verify(String, SSLSession) line: 81 > > AsyncHTTPConduit$AsyncWrappedOutputStream$5.verifySession(HttpHost, > IOSession, SSLSession) line: 536 > SSLIOSessionStrategy$1.verify(IOSession, SSLSession) line: 140 As > you can see the Boolean for the strict checked is not something I seem > to have any control over as the "matchIdentityStrict" method is called > by "matchDNSName" directly. > > Regards, > Tom > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
