Re: [Dev] Disabling hostname verification on Kernel 4.4.17-SNAPSHOT

Wed, 16 Aug 2017 19:21:04 -0700 

Hi

Could you please point the fix you have made to address this issue?

Regards,
Chandana

On Thu, Aug 17, 2017 at 7:20 AM, Muhammed Shariq <sha...@wso2.com> wrote:

> On Wed, Aug 16, 2017 at 11:45 PM, Kishanthan Thangarajah <
> kishant...@wso2.com> wrote:
>
>>
>>
>> On Wed, Aug 16, 2017 at 9:48 PM, Nuwandi Wickramasinghe <
>> nuwan...@wso2.com> wrote:
>>
>>> Hi all,
>>>
>>> With the latest IS pack built with kernel 4.4.17-SNAPSHOT, we can
>>> successfully turn off the hostname verification with
>>> *-Dhttpclient.hostnameVerifier=AllowAll*.
>>>
>>
>> What was the original issue? Farasath has followed the same steps (IS
>> with 4.4.17-SNAPSHOT) and mentioned that the above property was not working
>> according to the mail above.
>>
>>
>>> Need to do some code changes from Identity Server side to make the newly
>>> introduced property effective for some components.
>>>
>>
>> What are the code changes? This property is only used in httpclient
>> coming from kernel. So why changes are required at IS side?
>>
>
> Prior to kernel 4.4.17 there was a property 
> *-Dorg.wso2.ignoreHostnameVerification=true
> *that was used to disable hostname verification. IINM, the issue here is
> some components use this property to disable hostname verification, but
> since it's that property has been removed since 4.4.17 that might be
> causing some issue, so they are investigating on IS side.
>
> Nuwandi / Fara - correct me if I am wrong.
>
>>
>>
>>> Since no improvement is needed from kernel side, can we please go ahead
>>> with the kernel 4.4.17 release?
>>>
>>> *-Dhttpclient.hostnameVerifier *is only applicable since 4.4.17, but
>>> our documentation says it's applicable from 4.4.10 ([1]). Better to fix the
>>> documentation as well. Reopened [2] since the doc need to be corrected.
>>>
>>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName
>>> +Verification
>>> [2] https://wso2.org/jira/browse/DOCUMENTATION-4071
>>>
>>> thanks
>>> Nuwandi
>>>
>>> On Wed, Aug 16, 2017 at 5:39 PM, Farasath Ahamed <farasa...@wso2.com>
>>> wrote:
>>>
>>>>
>>>>
>>>>
>>>> On Tue, Aug 15, 2017 at 8:22 PM, Farasath Ahamed <farasa...@wso2.com>
>>>> wrote:
>>>>
>>>>> Tested with Kernel 4.4.16, -Dhttpclient.hostnameVerifier=AllowAll
>>>>> parameter is honoured and worked fine.
>>>>>
>>>>
>>>> I had an offline discussion with Chandana and Thusitha and go to know
>>>> that *-Dhttpclient.hostnameVerifier=AllowAll* is not supported in
>>>> kernel as of now (upto 4.4.16) and will be supported in 4.4.17.  Therefore
>>>> my earlier conclusion saying that kernel 4.4.16 parameter is honoured is
>>>> incorrect. But our documentation says that we support this from 4.4.11
>>>> which need to be corrected immediately :)
>>>>
>>>> But going throught the startup script we do have a parameter
>>>> *-Dorg.wso2.ignoreHostnameVerification=true* in kernel 4.4.16. Did a
>>>> quick search and this parameter was used in Kernel 4.4.6 to disable
>>>> hostname verification. Therefore I think that is how I was able to get my
>>>> scenario working with a hostname without changing certs (ie. turn off
>>>> hostname verification).
>>>>
>>>> But even though we have the necessary fixes to support 
>>>> *-Dhttpclient.hostnameVerifier=AllowAll
>>>> *in kernel 4.4.17 with commons-httpclient_3.1.0.wso2v6 orbit it
>>>> doesn't seem to honour the *-Dhttpclient.hostnameVerifier *parameter.
>>>>
>>>> I did a quick debug with commons-httpclient_3.1.0.wso2v6 and the
>>>> method to verify hostname[1] was never hit :(
>>>>
>>>>
>>>> [1] https://github.com/wso2/wso2-commons-httpclient/blob/v3.
>>>> 1.0-wso2v6/commons-httpclient/src/main/java/org/apache/commo
>>>> ns/httpclient/protocol/SSLProtocolSocketFactory.java#L286
>>>>
>>>>
>>>>>
>>>>> Farasath Ahamed
>>>>> Software Engineer, WSO2 Inc.; http://wso2.com
>>>>> Mobile: +94777603866
>>>>> Blog: blog.farazath.com
>>>>> Twitter: @farazath619 <https://twitter.com/farazath619>
>>>>> <http://wso2.com/signature>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Aug 15, 2017 at 7:58 PM, Harsha Thirimanna <hars...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On 15 Aug 2017 7:43 pm, "Farasath Ahamed" <farasa...@wso2.com> wrote:
>>>>>>
>>>>>> Tried to do $subject following [1] on a IS 5.4.0-SNAPSHOT pack with
>>>>>> kernel 4.4.17-SNAPSHOT. I still see hostname validation errors after
>>>>>> running the server with,
>>>>>> -Dhttpclient.hostnameVerifier=AllowAll
>>>>>>
>>>>>>
>>>>>> You don't get this error with the IS pack with kernal 4.4.16 ? Could
>>>>>> you please check that Farasath ?
>>>>>> Then we can isolate this.
>>>>>>
>>>>>>
>>>>>>
>>>>>> [2017-08-15 19:36:52,561] ERROR 
>>>>>> {org.apache.catalina.core.StandardWrapperValve}
>>>>>> -  Servlet.service() for servlet [default] in context with path
>>>>>> [/authenticationendpoint] threw exception
>>>>>> java.io.IOException: javax.net.ssl.SSLHandshakeException:
>>>>>> java.security.cert.CertificateException: No name matching
>>>>>> idp.wso2.com found
>>>>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl
>>>>>> etWrapper.java:467)
>>>>>> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServl
>>>>>> et.java:395)
>>>>>> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>>> lter(ApplicationFilterChain.java:303)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>>> licationFilterChain.java:208)
>>>>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
>>>>>> r.java:52)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>>> lter(ApplicationFilterChain.java:241)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>>> licationFilterChain.java:208)
>>>>>> at org.apache.catalina.core.ApplicationDispatcher.invoke(Applic
>>>>>> ationDispatcher.java:743)
>>>>>> at org.apache.catalina.core.ApplicationDispatcher.processReques
>>>>>> t(ApplicationDispatcher.java:485)
>>>>>> at org.apache.catalina.core.ApplicationDispatcher.doForward(App
>>>>>> licationDispatcher.java:410)
>>>>>> at org.apache.catalina.core.ApplicationDispatcher.forward(Appli
>>>>>> cationDispatcher.java:337)
>>>>>> at org.wso2.carbon.identity.application.authentication.endpoint
>>>>>> .util.filter.AuthenticationEndpointFilter.doFilter(Authentic
>>>>>> ationEndpointFilter.java:161)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>>> lter(ApplicationFilterChain.java:241)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>>> licationFilterChain.java:208)
>>>>>> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte
>>>>>> r(HttpHeaderSecurityFilter.java:124)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>>> lter(ApplicationFilterChain.java:241)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>>> licationFilterChain.java:208)
>>>>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
>>>>>> dWrapperValve.java:218)
>>>>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar
>>>>>> dContextValve.java:110)
>>>>>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A
>>>>>> uthenticatorBase.java:506)
>>>>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
>>>>>> stValve.java:169)
>>>>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
>>>>>> rtValve.java:103)
>>>>>> at org.wso2.carbon.identity.context.rewrite.valve.TenantContext
>>>>>> RewriteValve.invoke(TenantContextRewriteValve.java:80)
>>>>>> at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invo
>>>>>> ke(AuthorizationValve.java:91)
>>>>>> at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invo
>>>>>> ke(AuthenticationValve.java:60)
>>>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInv
>>>>>> ocation(CompositeValve.java:99)
>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke
>>>>>> (CarbonTomcatValve.java:47)
>>>>>> at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(Tena
>>>>>> ntLazyLoaderValve.java:57)
>>>>>> at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invok
>>>>>> eValves(TomcatValveContainer.java:47)
>>>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(Comp
>>>>>> ositeValve.java:62)
>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetection
>>>>>> Valve.invoke(CarbonStuckThreadDetectionValve.java:159)
>>>>>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogVa
>>>>>> lve.java:962)
>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.
>>>>>> invoke(CarbonContextCreatorValve.java:57)
>>>>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard
>>>>>> EngineValve.java:116)
>>>>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
>>>>>> apter.java:445)
>>>>>> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs
>>>>>> tractHttp11Processor.java:1115)
>>>>>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler
>>>>>> .process(AbstractProtocol.java:637)
>>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
>>>>>> (NioEndpoint.java:1770)
>>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(N
>>>>>> ioEndpoint.java:1729)
>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>>>> Executor.java:1142)
>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>>>> lExecutor.java:617)
>>>>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.r
>>>>>> un(TaskThread.java:61)
>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>>>> java.security.cert.CertificateException: No name matching
>>>>>> idp.wso2.com found
>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>>>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa
>>>>>> ndshaker.java:1514)
>>>>>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands
>>>>>> haker.java:216)
>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
>>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>>>>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo
>>>>>> cketImpl.java:1375)
>>>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
>>>>>> java:1403)
>>>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
>>>>>> java:1387)
>>>>>> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsCli
>>>>>> ent.java:559)
>>>>>> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnectio
>>>>>> n.connect(AbstractDelegateHttpsURLConnection.java:185)
>>>>>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Ht
>>>>>> tpsURLConnectionImpl.java:153)
>>>>>> at org.apache.jsp.login_jsp._jspService(login_jsp.java:777)
>>>>>> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>>>>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl
>>>>>> etWrapper.java:439)
>>>>>> ... 44 more
>>>>>> Caused by: java.security.cert.CertificateException: No name matching
>>>>>> idp.wso2.com found
>>>>>> at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.j
>>>>>> ava:221)
>>>>>> at sun.security.util.HostnameChecker.match(HostnameChecker.java:95)
>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus
>>>>>> tManagerImpl.java:455)
>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus
>>>>>> tManagerImpl.java:436)
>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust
>>>>>> ManagerImpl.java:200)
>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50
>>>>>> 9TrustManagerImpl.java:124)
>>>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa
>>>>>> ndshaker.java:1496)
>>>>>> ... 58 more
>>>>>>
>>>>>>
>>>>>> Is the information in [1] still valid?
>>>>>>
>>>>>> Chandana pointed out there has been a http client version upgrade in
>>>>>> Kernel 4.4.17. Could this be a reason for this?
>>>>>>
>>>>>>
>>>>>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName
>>>>>> +Verification
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> Farasath Ahamed
>>>>>> Software Engineer, WSO2 Inc.; http://wso2.com
>>>>>> Mobile: +94777603866
>>>>>> Blog: blog.farazath.com
>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619>
>>>>>> <http://wso2.com/signature>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Dev mailing list
>>>>>> Dev@wso2.org
>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> Dev@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> Best Regards,
>>>
>>> Nuwandi Wickramasinghe
>>>
>>> Software Engineer
>>>
>>> WSO2 Inc.
>>>
>>> Web : http://wso2.com
>>>
>>> Mobile : 0719214873 <071%20921%204873>
>>>
>>
>>
>>
>> --
>> *Kishanthan Thangarajah*
>> Technical Lead,
>> Platform Technologies Team,
>> WSO2, Inc.
>> lean.enterprise.middleware
>>
>> Mobile - +94773426635 <+94%2077%20342%206635>
>> Blog - *http://kishanthan.wordpress.com
>> <http://kishanthan.wordpress.com>*
>> Twitter - *http://twitter.com/kishanthan <http://twitter.com/kishanthan>*
>>
>> _______________________________________________
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Thanks,
> Shariq
> Associate Technical Lead
>
> _______________________________________________
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
*Chandana Napagoda*
Associate Technical Lead
WSO2 Inc. - http://wso2.org

*Email  :  chand...@wso2.com <chand...@wso2.com>**Mobile : +94718169299*

*Blog  :    http://blog.napagoda.com <http://blog.napagoda.com> |
http://chandana.napagoda.com <http://chandana.napagoda.com>*

*Linkedin : http://www.linkedin.com/in/chandananapagoda
<http://www.linkedin.com/in/chandananapagoda>*

_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to