John Yin created CXF-9012:
-----------------------------
Summary: tlsClientParameters disableCNCheck="true" no effect after
migrating to CXF 4.0.4
Key: CXF-9012
URL: https://issues.apache.org/jira/browse/CXF-9012
Project: CXF
Issue Type: Bug
Components: JAX-WS Runtime
Affects Versions: 4.0.4
Environment: Windows Server 2016, CXF 4.0.4 under SpringBoot 3.1.9,
JDK 17.
Reporter: John Yin
After migrating to 4.0.4, tlsClientParameters disableCNCheck="true" no longer
has any effect. When calling an endpoint with IP address that does not match
with the certificate CN, received the following exception. Adding
useHttpsURLConnectionDefaultHostnameVerifier="false" explicitly did not help.
The code worked fine with CXF 3.5.6.
{code:java}
java.security.cert.CertificateException: No subject alternative names matching
IP address 204.138.115.21 found
at
java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:165)
at
java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:101)
at
java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:458)
at
java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:432)
at
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:292)
at
java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
[wrapped] javax.net.ssl.SSLHandshakeException: No subject alternative names
matching IP address 204.138.115.21 found
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
at
java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.lambda$executeTasks$3(SSLFlowDelegate.java:1118)
at
java.net.http/jdk.internal.net.http.HttpClientImpl$DelegatingExecutor.execute(HttpClientImpl.java:157)
at
java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.executeTasks(SSLFlowDelegate.java:1113)
at
java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.doHandshake(SSLFlowDelegate.java:1079)
at
java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader.processData(SSLFlowDelegate.java:484)
at
java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader$ReaderDownstreamPusher.run(SSLFlowDelegate.java:268)
at
java.net.http/jdk.internal.net.http.common.SequentialScheduler$LockingRestartableTask.run(SequentialScheduler.java:205)
at
java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:149)
at
java.net.http/jdk.internal.net.http.common.SequentialScheduler$TryEndDeferredCompleter.complete(SequentialScheduler.java:347)
at
java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:151)
at
java.net.http/jdk.internal.net.http.common.SequentialScheduler$SchedulableTask.run(SequentialScheduler.java:230)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
[wrapped] org.apache.cxf.interceptor.Fault: Could not send Message.
at
org.apache.cxf.transport.http.HttpClientHTTPConduit$HttpClientWrappedOutputStream.isConnectionAttemptCompleted(HttpClientHTTPConduit.java:619)
at
org.apache.cxf.transport.http.HttpClientHTTPConduit$HttpClientPipedOutputStream.canWrite(HttpClientHTTPConduit.java:379)
at
org.apache.cxf.transport.http.HttpClientHTTPConduit$HttpClientPipedOutputStream.write(HttpClientHTTPConduit.java:389)
at
org.apache.cxf.io.CacheAndWriteOutputStream.write(CacheAndWriteOutputStream.java:81)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:51)
at
org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at
org.apache.cxf.io.CacheAndWriteOutputStream.write(CacheAndWriteOutputStream.java:81)
at
org.apache.cxf.io.CacheAndWriteOutputStream.write(CacheAndWriteOutputStream.java:81)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:51)
at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:242)
at com.ctc.wstx.sw.BufferingXmlWriter.close(BufferingXmlWriter.java:215)
at
com.ctc.wstx.sw.BaseStreamWriter._finishDocument(BaseStreamWriter.java:1478)
at
com.ctc.wstx.sw.BaseStreamWriter.writeEndDocument(BaseStreamWriter.java:550)
at
org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor$SoapOutEndingInterceptor.handleMessage(SoapOutInterceptor.java:307)
at
org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor$SoapOutEndingInterceptor.handleMessage(SoapOutInterceptor.java:294)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:434)
at
org.apache.camel.component.cxf.jaxws.CxfProducer.process(CxfProducer.java:120)
at
org.apache.camel.processor.SendProcessor.process(SendProcessor.java:210)
at
org.apache.camel.processor.errorhandler.NoErrorHandler.process(NoErrorHandler.java:46)
at
org.apache.camel.impl.engine.CamelInternalProcessor.processNonTransacted(CamelInternalProcessor.java:354)
at
org.apache.camel.impl.engine.CamelInternalProcessor.process(CamelInternalProcessor.java:330)
at
org.apache.camel.processor.Pipeline$PipelineTask.run(Pipeline.java:102)
at
org.apache.camel.impl.engine.DefaultReactiveExecutor$Worker.doRun(DefaultReactiveExecutor.java:199)
at
org.apache.camel.impl.engine.DefaultReactiveExecutor$Worker.executeReactiveWork(DefaultReactiveExecutor.java:189)
at
org.apache.camel.impl.engine.DefaultReactiveExecutor$Worker.tryExecuteReactiveWork(DefaultReactiveExecutor.java:166)
at
org.apache.camel.impl.engine.DefaultReactiveExecutor$Worker.schedule(DefaultReactiveExecutor.java:148)
at
org.apache.camel.impl.engine.DefaultReactiveExecutor.scheduleMain(DefaultReactiveExecutor.java:59)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:163)
at
org.apache.camel.impl.engine.CamelInternalProcessor.processNonTransacted(CamelInternalProcessor.java:354)
at
org.apache.camel.impl.engine.CamelInternalProcessor.process(CamelInternalProcessor.java:330)
at
org.apache.camel.component.timer.TimerConsumer.sendTimerExchange(TimerConsumer.java:293)
at
org.apache.camel.component.timer.TimerConsumer$1.doRun(TimerConsumer.java:164)
at
org.apache.camel.component.timer.TimerConsumer$1.run(TimerConsumer.java:136)
at java.base/java.util.TimerThread.mainLoop(Timer.java:566)
at java.base/java.util.TimerThread.run(Timer.java:516) {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
