Hi ViduraN, Shall we make sure that all the above information is captured in the documentation?
Thanks, On Thu, Aug 17, 2017 at 3:22 PM, Vidura Nanayakkara <vidu...@wso2.com> wrote: > Hi, > > On Thu, Aug 17, 2017 at 7:49 AM, Chandana Napagoda <chand...@wso2.com> > wrote: > >> Hi >> >> Could you please point the fix you have made to address this issue? >> > > As Shariq mentioned, *org.wso2.ignoreHostnameVerification *property was > removed from Kernel 4.4.17 onwards. With PR [1], commons-httpclient library > coming from kernel will handle host name verification by itself. The > property *org.wso2.ignoreHostnameVerification* is replaced by > *httpclient.hostnameVerifier*. The possible values for > *httpclient.hostnameVerifier *is as described below: > > - DefaultAndLocalhost - Verify host name without being strict with > sub-domains (*.foo.com is allowed to match with a.b.foo.com) and also > allow local host > - AllowAll - Allows all hosts > - Strict - Verify all hosts while being strict with sub-domains (*. > foo.com is not allowed to match with a.b.foo.com) > > Example: httpclient.hostnameVerifier="Strict" > > By default, host name verification will happen for all hosts without being > strict with sub-domains (*.foo.com is allowed to match with a.b.foo.com) > > Since host name verification is handled by the commons-httpclient library > coming from the kernel (with PR [1]), other components do not need to worry > about handling host name verification. For instance, handling host name > verification is removed from the jaggery component in PR [2]. > > [1] https://github.com/wso2/wso2-commons-httpclient/pull/5 > [2] https://github.com/wso2/jaggery/pull/174/ > > >> >> Regards, >> Chandana >> >> On Thu, Aug 17, 2017 at 7:20 AM, Muhammed Shariq <sha...@wso2.com> wrote: >> >>> On Wed, Aug 16, 2017 at 11:45 PM, Kishanthan Thangarajah < >>> kishant...@wso2.com> wrote: >>> >>>> >>>> >>>> On Wed, Aug 16, 2017 at 9:48 PM, Nuwandi Wickramasinghe < >>>> nuwan...@wso2.com> wrote: >>>> >>>>> Hi all, >>>>> >>>>> With the latest IS pack built with kernel 4.4.17-SNAPSHOT, we can >>>>> successfully turn off the hostname verification with >>>>> *-Dhttpclient.hostnameVerifier=AllowAll*. >>>>> >>>> >>>> What was the original issue? Farasath has followed the same steps (IS >>>> with 4.4.17-SNAPSHOT) and mentioned that the above property was not working >>>> according to the mail above. >>>> >>>> >>>>> Need to do some code changes from Identity Server side to make the >>>>> newly introduced property effective for some components. >>>>> >>>> >>>> What are the code changes? This property is only used in httpclient >>>> coming from kernel. So why changes are required at IS side? >>>> >>> >>> Prior to kernel 4.4.17 there was a property >>> *-Dorg.wso2.ignoreHostnameVerification=true >>> *that was used to disable hostname verification. IINM, the issue here >>> is some components use this property to disable hostname verification, but >>> since it's that property has been removed since 4.4.17 that might be >>> causing some issue, so they are investigating on IS side. >>> >>> Nuwandi / Fara - correct me if I am wrong. >>> >>>> >>>> >>>>> Since no improvement is needed from kernel side, can we please go >>>>> ahead with the kernel 4.4.17 release? >>>>> >>>>> *-Dhttpclient.hostnameVerifier *is only applicable since 4.4.17, but >>>>> our documentation says it's applicable from 4.4.10 ([1]). Better to fix >>>>> the >>>>> documentation as well. Reopened [2] since the doc need to be corrected. >>>>> >>>>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName >>>>> +Verification >>>>> [2] https://wso2.org/jira/browse/DOCUMENTATION-4071 >>>>> >>>>> thanks >>>>> Nuwandi >>>>> >>>>> On Wed, Aug 16, 2017 at 5:39 PM, Farasath Ahamed <farasa...@wso2.com> >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Aug 15, 2017 at 8:22 PM, Farasath Ahamed <farasa...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Tested with Kernel 4.4.16, -Dhttpclient.hostnameVerifier=AllowAll >>>>>>> parameter is honoured and worked fine. >>>>>>> >>>>>> >>>>>> I had an offline discussion with Chandana and Thusitha and go to know >>>>>> that *-Dhttpclient.hostnameVerifier=AllowAll* is not supported in >>>>>> kernel as of now (upto 4.4.16) and will be supported in 4.4.17. >>>>>> Therefore >>>>>> my earlier conclusion saying that kernel 4.4.16 parameter is honoured is >>>>>> incorrect. But our documentation says that we support this from 4.4.11 >>>>>> which need to be corrected immediately :) >>>>>> >>>>>> But going throught the startup script we do have a parameter >>>>>> *-Dorg.wso2.ignoreHostnameVerification=true* in kernel 4.4.16. Did a >>>>>> quick search and this parameter was used in Kernel 4.4.6 to disable >>>>>> hostname verification. Therefore I think that is how I was able to get my >>>>>> scenario working with a hostname without changing certs (ie. turn off >>>>>> hostname verification). >>>>>> >>>>>> But even though we have the necessary fixes to support >>>>>> *-Dhttpclient.hostnameVerifier=AllowAll >>>>>> *in kernel 4.4.17 with commons-httpclient_3.1.0.wso2v6 orbit it >>>>>> doesn't seem to honour the *-Dhttpclient.hostnameVerifier * >>>>>> parameter. >>>>>> >>>>>> I did a quick debug with commons-httpclient_3.1.0.wso2v6 and the >>>>>> method to verify hostname[1] was never hit :( >>>>>> >>>>>> >>>>>> [1] https://github.com/wso2/wso2-commons-httpclient/blob/v3. >>>>>> 1.0-wso2v6/commons-httpclient/src/main/java/org/apache/commo >>>>>> ns/httpclient/protocol/SSLProtocolSocketFactory.java#L286 >>>>>> >>>>>> >>>>>>> >>>>>>> Farasath Ahamed >>>>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>>>> Mobile: +94777603866 >>>>>>> Blog: blog.farazath.com >>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>> <http://wso2.com/signature> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Aug 15, 2017 at 7:58 PM, Harsha Thirimanna <hars...@wso2.com >>>>>>> > wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 15 Aug 2017 7:43 pm, "Farasath Ahamed" <farasa...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>> Tried to do $subject following [1] on a IS 5.4.0-SNAPSHOT pack with >>>>>>>> kernel 4.4.17-SNAPSHOT. I still see hostname validation errors after >>>>>>>> running the server with, >>>>>>>> -Dhttpclient.hostnameVerifier=AllowAll >>>>>>>> >>>>>>>> >>>>>>>> You don't get this error with the IS pack with kernal 4.4.16 ? >>>>>>>> Could you please check that Farasath ? >>>>>>>> Then we can isolate this. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> [2017-08-15 19:36:52,561] ERROR >>>>>>>> {org.apache.catalina.core.StandardWrapperValve} >>>>>>>> - Servlet.service() for servlet [default] in context with path >>>>>>>> [/authenticationendpoint] threw exception >>>>>>>> java.io.IOException: javax.net.ssl.SSLHandshakeException: >>>>>>>> java.security.cert.CertificateException: No name matching >>>>>>>> idp.wso2.com found >>>>>>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>>>>>>> etWrapper.java:467) >>>>>>>> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServl >>>>>>>> et.java:395) >>>>>>>> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java >>>>>>>> :339) >>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>>> lter(ApplicationFilterChain.java:303) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>>> licationFilterChain.java:208) >>>>>>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >>>>>>>> r.java:52) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>>> lter(ApplicationFilterChain.java:241) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>>> licationFilterChain.java:208) >>>>>>>> at org.apache.catalina.core.ApplicationDispatcher.invoke(Applic >>>>>>>> ationDispatcher.java:743) >>>>>>>> at org.apache.catalina.core.ApplicationDispatcher.processReques >>>>>>>> t(ApplicationDispatcher.java:485) >>>>>>>> at org.apache.catalina.core.ApplicationDispatcher.doForward(App >>>>>>>> licationDispatcher.java:410) >>>>>>>> at org.apache.catalina.core.ApplicationDispatcher.forward(Appli >>>>>>>> cationDispatcher.java:337) >>>>>>>> at org.wso2.carbon.identity.application.authentication.endpoint >>>>>>>> .util.filter.AuthenticationEndpointFilter.doFilter(Authentic >>>>>>>> ationEndpointFilter.java:161) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>>> lter(ApplicationFilterChain.java:241) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>>> licationFilterChain.java:208) >>>>>>>> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte >>>>>>>> r(HttpHeaderSecurityFilter.java:124) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>>>>> lter(ApplicationFilterChain.java:241) >>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>>>>> licationFilterChain.java:208) >>>>>>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >>>>>>>> dWrapperValve.java:218) >>>>>>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar >>>>>>>> dContextValve.java:110) >>>>>>>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A >>>>>>>> uthenticatorBase.java:506) >>>>>>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >>>>>>>> stValve.java:169) >>>>>>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >>>>>>>> rtValve.java:103) >>>>>>>> at org.wso2.carbon.identity.context.rewrite.valve.TenantContext >>>>>>>> RewriteValve.invoke(TenantContextRewriteValve.java:80) >>>>>>>> at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invo >>>>>>>> ke(AuthorizationValve.java:91) >>>>>>>> at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invo >>>>>>>> ke(AuthenticationValve.java:60) >>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInv >>>>>>>> ocation(CompositeValve.java:99) >>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke >>>>>>>> (CarbonTomcatValve.java:47) >>>>>>>> at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(Tena >>>>>>>> ntLazyLoaderValve.java:57) >>>>>>>> at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invok >>>>>>>> eValves(TomcatValveContainer.java:47) >>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(Comp >>>>>>>> ositeValve.java:62) >>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetection >>>>>>>> Valve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>>>>>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogVa >>>>>>>> lve.java:962) >>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve. >>>>>>>> invoke(CarbonContextCreatorValve.java:57) >>>>>>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >>>>>>>> EngineValve.java:116) >>>>>>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >>>>>>>> apter.java:445) >>>>>>>> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs >>>>>>>> tractHttp11Processor.java:1115) >>>>>>>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler >>>>>>>> .process(AbstractProtocol.java:637) >>>>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>>>>>>> (NioEndpoint.java:1770) >>>>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(N >>>>>>>> ioEndpoint.java:1729) >>>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>>>> Executor.java:1142) >>>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>>>> lExecutor.java:617) >>>>>>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.r >>>>>>>> un(TaskThread.java:61) >>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>>>>>> java.security.cert.CertificateException: No name matching >>>>>>>> idp.wso2.com found >>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >>>>>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>>>>>> ndshaker.java:1514) >>>>>>>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands >>>>>>>> haker.java:216) >>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) >>>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) >>>>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java >>>>>>>> :1062) >>>>>>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo >>>>>>>> cketImpl.java:1375) >>>>>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>>>>>> java:1403) >>>>>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>>>>>> java:1387) >>>>>>>> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsCli >>>>>>>> ent.java:559) >>>>>>>> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnectio >>>>>>>> n.connect(AbstractDelegateHttpsURLConnection.java:185) >>>>>>>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Ht >>>>>>>> tpsURLConnectionImpl.java:153) >>>>>>>> at org.apache.jsp.login_jsp._jspService(login_jsp.java:777) >>>>>>>> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.ja >>>>>>>> va:70) >>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>>>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>>>>>>> etWrapper.java:439) >>>>>>>> ... 44 more >>>>>>>> Caused by: java.security.cert.CertificateException: No name >>>>>>>> matching idp.wso2.com found >>>>>>>> at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.j >>>>>>>> ava:221) >>>>>>>> at sun.security.util.HostnameChecker.match(HostnameChecker.java:95) >>>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>>>>>>> tManagerImpl.java:455) >>>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>>>>>>> tManagerImpl.java:436) >>>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust >>>>>>>> ManagerImpl.java:200) >>>>>>>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50 >>>>>>>> 9TrustManagerImpl.java:124) >>>>>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>>>>>> ndshaker.java:1496) >>>>>>>> ... 58 more >>>>>>>> >>>>>>>> >>>>>>>> Is the information in [1] still valid? >>>>>>>> >>>>>>>> Chandana pointed out there has been a http client version upgrade >>>>>>>> in Kernel 4.4.17. Could this be a reason for this? >>>>>>>> >>>>>>>> >>>>>>>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName >>>>>>>> +Verification >>>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Farasath Ahamed >>>>>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>>>>> Mobile: +94777603866 >>>>>>>> Blog: blog.farazath.com >>>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Dev mailing list >>>>>>>> Dev@wso2.org >>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Best Regards, >>>>> >>>>> Nuwandi Wickramasinghe >>>>> >>>>> Software Engineer >>>>> >>>>> WSO2 Inc. >>>>> >>>>> Web : http://wso2.com >>>>> >>>>> Mobile : 0719214873 <071%20921%204873> >>>>> >>>> >>>> >>>> >>>> -- >>>> *Kishanthan Thangarajah* >>>> Technical Lead, >>>> Platform Technologies Team, >>>> WSO2, Inc. >>>> lean.enterprise.middleware >>>> >>>> Mobile - +94773426635 <+94%2077%20342%206635> >>>> Blog - *http://kishanthan.wordpress.com >>>> <http://kishanthan.wordpress.com>* >>>> Twitter - *http://twitter.com/kishanthan >>>> <http://twitter.com/kishanthan>* >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Thanks, >>> Shariq >>> Associate Technical Lead >>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> *Chandana Napagoda* >> Associate Technical Lead >> WSO2 Inc. - http://wso2.org >> >> *Email : chand...@wso2.com <chand...@wso2.com>**Mobile : +94718169299 >> <+94%2071%20816%209299>* >> >> *Blog : http://blog.napagoda.com <http://blog.napagoda.com> | >> http://chandana.napagoda.com <http://chandana.napagoda.com>* >> >> *Linkedin : http://www.linkedin.com/in/chandananapagoda >> <http://www.linkedin.com/in/chandananapagoda>* >> >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > Best Regards, > Vidura Nanayakkara > > -- > Best Regards, > > *Vidura Nanayakkara* > Software Engineer > > Email : vidu...@wso2.com > Mobile : +94 (0) 717 919277 <+94%2071%20791%209277> > Web : http://wso2.com > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Kishanthan Thangarajah* Technical Lead, Platform Technologies Team, WSO2, Inc. lean.enterprise.middleware Mobile - +94773426635 Blog - *http://kishanthan.wordpress.com <http://kishanthan.wordpress.com>* Twitter - *http://twitter.com/kishanthan <http://twitter.com/kishanthan>*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
