On Wed, Aug 16, 2017 at 9:48 PM, Nuwandi Wickramasinghe <nuwan...@wso2.com> wrote:
> Hi all, > > With the latest IS pack built with kernel 4.4.17-SNAPSHOT, we can > successfully turn off the hostname verification with > *-Dhttpclient.hostnameVerifier=AllowAll*. > What was the original issue? Farasath has followed the same steps (IS with 4.4.17-SNAPSHOT) and mentioned that the above property was not working according to the mail above. > Need to do some code changes from Identity Server side to make the newly > introduced property effective for some components. > What are the code changes? This property is only used in httpclient coming from kernel. So why changes are required at IS side? > Since no improvement is needed from kernel side, can we please go ahead > with the kernel 4.4.17 release? > > *-Dhttpclient.hostnameVerifier *is only applicable since 4.4.17, but our > documentation says it's applicable from 4.4.10 ([1]). Better to fix the > documentation as well. Reopened [2] since the doc need to be corrected. > > [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName+Verification > [2] https://wso2.org/jira/browse/DOCUMENTATION-4071 > > thanks > Nuwandi > > On Wed, Aug 16, 2017 at 5:39 PM, Farasath Ahamed <farasa...@wso2.com> > wrote: > >> >> >> >> On Tue, Aug 15, 2017 at 8:22 PM, Farasath Ahamed <farasa...@wso2.com> >> wrote: >> >>> Tested with Kernel 4.4.16, -Dhttpclient.hostnameVerifier=AllowAll >>> parameter is honoured and worked fine. >>> >> >> I had an offline discussion with Chandana and Thusitha and go to know >> that *-Dhttpclient.hostnameVerifier=AllowAll* is not supported in kernel >> as of now (upto 4.4.16) and will be supported in 4.4.17. Therefore my >> earlier conclusion saying that kernel 4.4.16 parameter is honoured is >> incorrect. But our documentation says that we support this from 4.4.11 >> which need to be corrected immediately :) >> >> But going throught the startup script we do have a parameter >> *-Dorg.wso2.ignoreHostnameVerification=true* in kernel 4.4.16. Did a >> quick search and this parameter was used in Kernel 4.4.6 to disable >> hostname verification. Therefore I think that is how I was able to get my >> scenario working with a hostname without changing certs (ie. turn off >> hostname verification). >> >> But even though we have the necessary fixes to support >> *-Dhttpclient.hostnameVerifier=AllowAll >> *in kernel 4.4.17 with commons-httpclient_3.1.0.wso2v6 orbit it doesn't >> seem to honour the *-Dhttpclient.hostnameVerifier *parameter. >> >> I did a quick debug with commons-httpclient_3.1.0.wso2v6 and the method >> to verify hostname[1] was never hit :( >> >> >> [1] https://github.com/wso2/wso2-commons-httpclient/blob/v3. >> 1.0-wso2v6/commons-httpclient/src/main/java/org/apache/ >> commons/httpclient/protocol/SSLProtocolSocketFactory.java#L286 >> >> >>> >>> Farasath Ahamed >>> Software Engineer, WSO2 Inc.; http://wso2.com >>> Mobile: +94777603866 >>> Blog: blog.farazath.com >>> Twitter: @farazath619 <https://twitter.com/farazath619> >>> <http://wso2.com/signature> >>> >>> >>> >>> On Tue, Aug 15, 2017 at 7:58 PM, Harsha Thirimanna <hars...@wso2.com> >>> wrote: >>> >>>> >>>> >>>> On 15 Aug 2017 7:43 pm, "Farasath Ahamed" <farasa...@wso2.com> wrote: >>>> >>>> Tried to do $subject following [1] on a IS 5.4.0-SNAPSHOT pack with >>>> kernel 4.4.17-SNAPSHOT. I still see hostname validation errors after >>>> running the server with, >>>> -Dhttpclient.hostnameVerifier=AllowAll >>>> >>>> >>>> You don't get this error with the IS pack with kernal 4.4.16 ? Could >>>> you please check that Farasath ? >>>> Then we can isolate this. >>>> >>>> >>>> >>>> [2017-08-15 19:36:52,561] ERROR >>>> {org.apache.catalina.core.StandardWrapperValve} >>>> - Servlet.service() for servlet [default] in context with path >>>> [/authenticationendpoint] threw exception >>>> java.io.IOException: javax.net.ssl.SSLHandshakeException: >>>> java.security.cert.CertificateException: No name matching idp.wso2.com >>>> found >>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>>> etWrapper.java:467) >>>> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServl >>>> et.java:395) >>>> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>> lter(ApplicationFilterChain.java:303) >>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>> licationFilterChain.java:208) >>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >>>> r.java:52) >>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>> lter(ApplicationFilterChain.java:241) >>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>> licationFilterChain.java:208) >>>> at org.apache.catalina.core.ApplicationDispatcher.invoke(Applic >>>> ationDispatcher.java:743) >>>> at org.apache.catalina.core.ApplicationDispatcher.processReques >>>> t(ApplicationDispatcher.java:485) >>>> at org.apache.catalina.core.ApplicationDispatcher.doForward(App >>>> licationDispatcher.java:410) >>>> at org.apache.catalina.core.ApplicationDispatcher.forward(Appli >>>> cationDispatcher.java:337) >>>> at org.wso2.carbon.identity.application.authentication.endpoint >>>> .util.filter.AuthenticationEndpointFilter.doFilter(Authentic >>>> ationEndpointFilter.java:161) >>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>> lter(ApplicationFilterChain.java:241) >>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>> licationFilterChain.java:208) >>>> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte >>>> r(HttpHeaderSecurityFilter.java:124) >>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>> lter(ApplicationFilterChain.java:241) >>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>> licationFilterChain.java:208) >>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >>>> dWrapperValve.java:218) >>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar >>>> dContextValve.java:110) >>>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A >>>> uthenticatorBase.java:506) >>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >>>> stValve.java:169) >>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >>>> rtValve.java:103) >>>> at org.wso2.carbon.identity.context.rewrite.valve.TenantContext >>>> RewriteValve.invoke(TenantContextRewriteValve.java:80) >>>> at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invo >>>> ke(AuthorizationValve.java:91) >>>> at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invo >>>> ke(AuthenticationValve.java:60) >>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInv >>>> ocation(CompositeValve.java:99) >>>> at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke >>>> (CarbonTomcatValve.java:47) >>>> at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(Tena >>>> ntLazyLoaderValve.java:57) >>>> at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invok >>>> eValves(TomcatValveContainer.java:47) >>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(Comp >>>> ositeValve.java:62) >>>> at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetection >>>> Valve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogVa >>>> lve.java:962) >>>> at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve. >>>> invoke(CarbonContextCreatorValve.java:57) >>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >>>> EngineValve.java:116) >>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >>>> apter.java:445) >>>> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs >>>> tractHttp11Processor.java:1115) >>>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler >>>> .process(AbstractProtocol.java:637) >>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>>> (NioEndpoint.java:1770) >>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(N >>>> ioEndpoint.java:1729) >>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>> Executor.java:1142) >>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>> lExecutor.java:617) >>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.r >>>> un(TaskThread.java:61) >>>> at java.lang.Thread.run(Thread.java:748) >>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>> java.security.cert.CertificateException: No name matching idp.wso2.com >>>> found >>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>> ndshaker.java:1514) >>>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands >>>> haker.java:216) >>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) >>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) >>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) >>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo >>>> cketImpl.java:1375) >>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>> java:1403) >>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>> java:1387) >>>> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsCli >>>> ent.java:559) >>>> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnectio >>>> n.connect(AbstractDelegateHttpsURLConnection.java:185) >>>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Ht >>>> tpsURLConnectionImpl.java:153) >>>> at org.apache.jsp.login_jsp._jspService(login_jsp.java:777) >>>> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>>> etWrapper.java:439) >>>> ... 44 more >>>> Caused by: java.security.cert.CertificateException: No name matching >>>> idp.wso2.com found >>>> at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:221) >>>> at sun.security.util.HostnameChecker.match(HostnameChecker.java:95) >>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>>> tManagerImpl.java:455) >>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>>> tManagerImpl.java:436) >>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust >>>> ManagerImpl.java:200) >>>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50 >>>> 9TrustManagerImpl.java:124) >>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>> ndshaker.java:1496) >>>> ... 58 more >>>> >>>> >>>> Is the information in [1] still valid? >>>> >>>> Chandana pointed out there has been a http client version upgrade in >>>> Kernel 4.4.17. Could this be a reason for this? >>>> >>>> >>>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName >>>> +Verification >>>> >>>> >>>> Thanks, >>>> Farasath Ahamed >>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>> Mobile: +94777603866 >>>> Blog: blog.farazath.com >>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>> <http://wso2.com/signature> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>>> >>> >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > > Best Regards, > > Nuwandi Wickramasinghe > > Software Engineer > > WSO2 Inc. > > Web : http://wso2.com > > Mobile : 0719214873 > -- *Kishanthan Thangarajah* Technical Lead, Platform Technologies Team, WSO2, Inc. lean.enterprise.middleware Mobile - +94773426635 Blog - *http://kishanthan.wordpress.com <http://kishanthan.wordpress.com>* Twitter - *http://twitter.com/kishanthan <http://twitter.com/kishanthan>*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
