Thanks Sebastian. I am not to familiar with this part of the code in Shindig but it looks like we are just passing the host name, ie https://ajax.googleapis.com, to the fetcher. Is there anything we as the the Shindig community can do to help out?
-Ryan Email: rjbax...@us.ibm.com Phone: 978-899-3041 developerWorks Profile From: sebb AT ASF <s...@apache.org> To: Ryan J Baxter/Westford/IBM@Lotus, Cc: dev@shindig.apache.org, HttpComponents Project <d...@hc.apache.org> Date: 11/07/2011 02:19 PM Subject: Re: httpclient version upgrade causing SSL exceptions Sent by: seb...@gmail.com On 7 November 2011 18:45, Ryan J Baxter <rjbax...@us.ibm.com> wrote: > I have been seeing SSL exceptions being thrown relating to certificates not > matching in builds from trunk recently. I have traced this back to a > httpclient upgrade from 4.1.1 to 4.1.2. Would anyone be opposed to > reverting back to 4.1.1 for the time being? > > Looking that the changes that went into 4.1.2, this change looks like it > might be related to the problem. I have CCed Sebastian, maybe he can > confirm. This should really have been fed back to all the HttpComponents developers via e-mail or JIRA issue; I'm copying the mailing on this reply. > > * [HTTPCLIENT-1097] BrowserCompatHostnameVerifier and StrictHostnameVerifier > should handle > wildcards in SSL certificates better. > Contributed by Sebastian Bazley <sebb at apache.org> > INFO: The following exception occurred when fetching > https://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js:405 ms > elapsed. > Nov 7, 2011 1:38:28 PM org.apache.shindig.gadgets.http.BasicHttpFetcher > fetch > INFO: > javax.net.ssl.SSLException: hostname in certificate didn't match: > <ajax.googleapis.com/74.125.115.95> != <*.googleapis.com> OR > <googleapis.com> OR <*.googleapis.com> > at It's not obvious why the hostname includes an IP address as well as a name. I don't yet know if the validation is supposed to cope with that or not. Also rather odd is that the hostname and IP address do not agree. It's quite possible that the validation is wrong, and it should allow for the /IP suffix, but it's also possible that the wrong hostname is being passed to the validation method. > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:228) > at > org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) > at > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:149) > at > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:130) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:495) > at > org.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62) > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148) > at > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149) > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121) > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573) > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425) > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820) > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:776) > at > org.apache.shindig.gadgets.http.BasicHttpFetcher.fetch(BasicHttpFetcher.java:361) > at > org.apache.shindig.gadgets.http.DefaultRequestPipeline.execute(DefaultRequestPipeline.java:108) > at > org.apache.shindig.gadgets.http.MultipleResourceHttpFetcher$HttpFetchCallable.call(MultipleResourceHttpFetcher.java:105) > at > org.apache.shindig.gadgets.http.MultipleResourceHttpFetcher$HttpFetchCallable.call(MultipleResourceHttpFetcher.java:92) > at > java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) > at java.util.concurrent.FutureTask.run(FutureTask.java:138) > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > at java.lang.Thread.run(Thread.java:662) > Nov 7, 2011 1:38:28 PM org.apache.shindig.gadgets.servlet.ConcatProxyServlet > outputError > INFO: The following error occurred when requesting a concatenated proxy: /* > ---- Error INTERNAL_SERVER_ERROR > concat(https://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js) > javax.net.ssl.SSLException: hostname in certificate didn't match: > <ajax.googleapis.com/74.125.115.95> != <*.googleapis.com> OR > <googleapis.com> OR <*.googleapis.com> ---- */. > > -Ryan > > Email: rjbax...@us.ibm.com > Phone: 978-899-3041 > developerWorks Profile >
