Hi Andrei, It works in CXF 3.2.1 due to a fix I did which is also in CXF 3.1.10:
https://issues.apache.org/jira/browse/CXF-7233 Is it an option for you to upgrade to CXF 3.1.10? Colm. On Wed, Nov 29, 2017 at 9:57 PM, Andrei Shakirin <[email protected]> wrote: > Hi Colm, > > Perhaps you have an idea how to resolve the following issue: > > I try to setup SSL connection to server https://sandbox.tiramizoo.com/ > using CXF Rest client (CXF 3.1.7, WebClient or JAX-RS Client). > > The code running under JDK 1.8.0_131 fails: > Caused by: javax.net.ssl.SSLException: Received fatal alert: internal_error > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) > > Looking for the reason, I discovered that the reason of the problem is > missing SNI during handshake: > > Log of success case: > ... > Extension server_name, server_name: [type=host_name (0), value= > sandbox.tiramizoo.com] > > [write] MD5 and SHA1 hashes: len = 191 > 0000: 01 00 00 BB 03 03 5A 1E 8C 8D EB 9D 2A D8 DC E2 ......Z.....*... > 0010: D5 63 9B 7C 07 10 D9 25 A3 51 F3 C1 2B 1F B0 1A .c.....%.Q..+... > 0020: 3F 57 CA BA 1E E7 00 00 3A C0 23 C0 27 00 3C C0 ?W......:.#.'.<. > 0030: 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 %.).g.@...../... > 0040: 0E 00 33 00 32 C0 2B C0 2F 00 9C C0 2D C0 31 00 ..3.2.+./...-.1. > 0050: 9E 00 A2 C0 08 C0 12 00 0A C0 03 C0 0D 00 16 00 ................ > 0060: 13 00 FF 01 00 00 58 00 0A 00 16 00 14 00 17 00 ......X......... > 0070: 18 00 19 00 09 00 0A 00 0B 00 0C 00 0D 00 0E 00 ................ > 0080: 16 00 0B 00 02 01 00 00 0D 00 16 00 14 06 03 06 ................ > 0090: 01 05 03 05 01 04 03 04 01 04 02 02 03 02 01 02 ................ > 00A0: 02 00 00 00 1A 00 18 00 00 15 73 61 6E 64 62 6F ..........sandbo > 00B0: 78 2E 74 69 72 61 6D 69 7A 6F 6F 2E 63 6F 6D x.tiramizoo.com > > Log of problem case: > ... > [NO Extension server_name] > [write] MD5 and SHA1 hashes: len = 203 > 0000: 01 00 00 C7 03 03 5A 1E 8B 3F 08 56 DB C9 02 81 ......Z..?.V.... > 0010: F7 6C F9 32 0F EC C3 1A 9A 7D 1C 04 C3 1B C7 D5 .l.2............ > 0020: 6E 12 73 55 4C A3 00 00 64 C0 24 C0 28 00 3D C0 n.sUL...d.$.(.=. > 0030: 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 C0 &.*.k.j.....5... > 0040: 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 00 ..9.8.#.'.<.%.). > 0050: 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 00 g.@...../.....3. > 0060: 32 C0 2C C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 2.,.+.0.....2... > 0070: A3 C0 2F 00 9C C0 2D C0 31 00 9E 00 A2 C0 08 C0 ../...-.1....... > 0080: 12 00 0A C0 03 C0 0D 00 16 00 13 00 FF 01 00 00 ................ > 0090: 3A 00 0A 00 16 00 14 00 17 00 18 00 19 00 09 00 :............... > 00A0: 0A 00 0B 00 0C 00 0D 00 0E 00 16 00 0B 00 02 01 ................ > 00B0: 00 00 0D 00 16 00 14 06 03 06 01 05 03 05 01 04 ................ > 00C0: 03 04 01 04 02 02 03 02 01 02 02 ........... > > > The problem is likely caused by bug in JDK https://bugs.openjdk.java.net/ > browse/JDK-8072464 that prevents sending SNI if client registers custom > HostnameVerifier. > I can also reproduce it with simple Java HttpsURLConnection + registring > HostnameVerifier. > > Interesting that result of SSL connection to > https://sandbox.tiramizoo.com/ looks like: > 1) failed with CXF 3.1.7 and JDK 1.8.0_131 > 2) failed with simple HttpsURLConnection + registring HostnameVerifier and > JDK 1.8.0_1311) > 3) successful with CXF 3.2.1 and JDK 1.8.0_131 > 4) successful with CXF 3.2.1 and JDK 1.8.0_151 > 5) successful with simple HttpsURLConnection + registring HostnameVerifier > and JDK 1.8.0_151 > > Questions: > - any idea why this connection works with CXF 3.2.1 and JDK 1.8.0_131, > despite of fact that CXF 3.2.1 registers the custom HostnameVerifier as > well? > - are there any workaround for CXF 3.1.7 and JDK 1.8.0_131? > > Small example to reproduce the issue is attached. > > Regards, > Andrei. > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
