Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard
Sorry the other thread is [1] [1] - [Clarification](EONPROD-24) Accessing webpage via WSO2 ESB not possbile - handshake error On Mon, Nov 23, 2015 at 2:29 PM, Dilshan Edirisuriya wrote: > Hi Aparna, > > It seems that the same issue occurring at [1]. > > [1] - [Dev][IS] "hostname in certificate didn't match:" issue when > accessing IS dashboard > > Regards, > > Dilshan > > On Fri, Nov 20, 2015 at 11:38 AM, Aparna Karunarathna > wrote: > >> Actually I have used another Nginx to resolve my issue, not a permanent >> solution. AFAIU this is getting due to httpclient 4.3.1 doesn't support >> SNI. >> >> @IsuruU, Shouldn't it upgrade to httpclient 4.3.2 ? >> >> Regards, >> Aparna. >> >> >> On Fri, Nov 20, 2015 at 11:24 AM, Malintha Adikari >> wrote: >> >>> Hi Aprana, >>> >>> I am getting the same issue while accessing APIM distributed cluster >>> nodes fronted through loadbalancer(nginx) instance. Did you able to solve >>> this issue ? If so how did you solve it ? >>> >>> Regards, >>> Malintha >>> >>> On Wed, Oct 28, 2015 at 2:09 PM, Isuru Udana wrote: >>> >>>> Hi Aparna, >>>> >>>> Bundles are coming from features, whatever version defined in the >>>> product pom have no relationship for that. >>>> >>>> Thanks. >>>> >>>> On Wed, Oct 28, 2015 at 11:20 AM, Aparna Karunarathna >>>> wrote: >>>> >>>>> Hi Isuru, >>>>> >>>>> I checked version from the ESB master branch pom[1]. >>>>> >>>>> 4.1.2 >>>>> >>>>> [1] https://github.com/wso2/product-esb/blob/master/pom.xml >>>>> >>>>> Regards, >>>>> Aparna. >>>>> >>>>> On Tue, Oct 27, 2015 at 5:41 AM, Isuru Udana wrote: >>>>> >>>>>> Hi Aparna, >>>>>> >>>>>> We are using 4.3.1. >>>>>> >>>>>> >>>>>> Thanks. >>>>>> >>>>>> On Mon, Oct 26, 2015 at 10:36 AM, Aparna Karunarathna < >>>>>> apa...@wso2.com> wrote: >>>>>> >>>>>>> Hi Kasun/Isuru, >>>>>>> >>>>>>> Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to >>>>>>> newer version? >>>>>>> >>>>>>> @Deep, Thanks for the clarification. >>>>>>> >>>>>>> Regards, >>>>>>> Aparna >>>>>>> >>>>>>> On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa >>>>>> > wrote: >>>>>>> >>>>>>>> Hi Aparna, >>>>>>>> >>>>>>>> This can happen when the client does not send the SNI[1][2] to the >>>>>>>> server side to select the proper HTTPS virtual host. In this case NGINX >>>>>>>> reverse proxy created in the vhost. Most of the modern browsers send >>>>>>>> SNI to >>>>>>>> server, therefore you will not observe this when you make the request >>>>>>>> via a >>>>>>>> modern browser. >>>>>>>> >>>>>>>> Most of the new Java HTTP client libraries also support SNI. As an >>>>>>>> example, Apache httpclient library support SNI from version 4.3.2 [3]. >>>>>>>> If >>>>>>>> you use a library which does not support SNI, you will get this error >>>>>>>> for >>>>>>>> HTTPS call going towards services hosted in virtual host environments. >>>>>>>> >>>>>>>> [1] https://en.wikipedia.org/wiki/Server_Name_Indication >>>>>>>> [2] https://www.ietf.org/rfc/rfc3546.txt >>>>>>>> [3] https://hc.apache.org/news.html >>>>>>>> >>>>>>>> On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna < >>>>>>>> apa...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> I have encountered a weird "hostname in certificate didn't match:" >>>>>>>>> issue when acces
Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard
Hi Aparna, It seems that the same issue occurring at [1]. [1] - [Dev][IS] "hostname in certificate didn't match:" issue when accessing IS dashboard Regards, Dilshan On Fri, Nov 20, 2015 at 11:38 AM, Aparna Karunarathna wrote: > Actually I have used another Nginx to resolve my issue, not a permanent > solution. AFAIU this is getting due to httpclient 4.3.1 doesn't support > SNI. > > @IsuruU, Shouldn't it upgrade to httpclient 4.3.2 ? > > Regards, > Aparna. > > > On Fri, Nov 20, 2015 at 11:24 AM, Malintha Adikari > wrote: > >> Hi Aprana, >> >> I am getting the same issue while accessing APIM distributed cluster >> nodes fronted through loadbalancer(nginx) instance. Did you able to solve >> this issue ? If so how did you solve it ? >> >> Regards, >> Malintha >> >> On Wed, Oct 28, 2015 at 2:09 PM, Isuru Udana wrote: >> >>> Hi Aparna, >>> >>> Bundles are coming from features, whatever version defined in the >>> product pom have no relationship for that. >>> >>> Thanks. >>> >>> On Wed, Oct 28, 2015 at 11:20 AM, Aparna Karunarathna >>> wrote: >>> >>>> Hi Isuru, >>>> >>>> I checked version from the ESB master branch pom[1]. >>>> >>>> 4.1.2 >>>> >>>> [1] https://github.com/wso2/product-esb/blob/master/pom.xml >>>> >>>> Regards, >>>> Aparna. >>>> >>>> On Tue, Oct 27, 2015 at 5:41 AM, Isuru Udana wrote: >>>> >>>>> Hi Aparna, >>>>> >>>>> We are using 4.3.1. >>>>> >>>>> >>>>> Thanks. >>>>> >>>>> On Mon, Oct 26, 2015 at 10:36 AM, Aparna Karunarathna >>>> > wrote: >>>>> >>>>>> Hi Kasun/Isuru, >>>>>> >>>>>> Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to >>>>>> newer version? >>>>>> >>>>>> @Deep, Thanks for the clarification. >>>>>> >>>>>> Regards, >>>>>> Aparna >>>>>> >>>>>> On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa >>>>>> wrote: >>>>>> >>>>>>> Hi Aparna, >>>>>>> >>>>>>> This can happen when the client does not send the SNI[1][2] to the >>>>>>> server side to select the proper HTTPS virtual host. In this case NGINX >>>>>>> reverse proxy created in the vhost. Most of the modern browsers send >>>>>>> SNI to >>>>>>> server, therefore you will not observe this when you make the request >>>>>>> via a >>>>>>> modern browser. >>>>>>> >>>>>>> Most of the new Java HTTP client libraries also support SNI. As an >>>>>>> example, Apache httpclient library support SNI from version 4.3.2 [3]. >>>>>>> If >>>>>>> you use a library which does not support SNI, you will get this error >>>>>>> for >>>>>>> HTTPS call going towards services hosted in virtual host environments. >>>>>>> >>>>>>> [1] https://en.wikipedia.org/wiki/Server_Name_Indication >>>>>>> [2] https://www.ietf.org/rfc/rfc3546.txt >>>>>>> [3] https://hc.apache.org/news.html >>>>>>> >>>>>>> On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna < >>>>>>> apa...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> I have encountered a weird "hostname in certificate didn't match:" >>>>>>>> issue when accessing IS dashboard. My setup details are as follows. >>>>>>>> >>>>>>>> *Setup Details* >>>>>>>> *IS cluster* >>>>>>>> - 3 nodes cluster >>>>>>>> - Hostname - mgt.is.wso2.com >>>>>>>> - Certificate CN - mgt.is.wso2.com >>>>>>>> >>>>>>>> *BPS cluster* >>>>>>>> - 2 nodes cluster (manager/worker) >>>>>>>> - Hostnames - Manager - mgt.bps.wso2.com / Worker - >>>>>>>> wrk.bps.wso2.com >>>>>>&
Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard
Actually I have used another Nginx to resolve my issue, not a permanent solution. AFAIU this is getting due to httpclient 4.3.1 doesn't support SNI. @IsuruU, Shouldn't it upgrade to httpclient 4.3.2 ? Regards, Aparna. On Fri, Nov 20, 2015 at 11:24 AM, Malintha Adikari wrote: > Hi Aprana, > > I am getting the same issue while accessing APIM distributed cluster nodes > fronted through loadbalancer(nginx) instance. Did you able to solve this > issue ? If so how did you solve it ? > > Regards, > Malintha > > On Wed, Oct 28, 2015 at 2:09 PM, Isuru Udana wrote: > >> Hi Aparna, >> >> Bundles are coming from features, whatever version defined in the product >> pom have no relationship for that. >> >> Thanks. >> >> On Wed, Oct 28, 2015 at 11:20 AM, Aparna Karunarathna >> wrote: >> >>> Hi Isuru, >>> >>> I checked version from the ESB master branch pom[1]. >>> >>> 4.1.2 >>> >>> [1] https://github.com/wso2/product-esb/blob/master/pom.xml >>> >>> Regards, >>> Aparna. >>> >>> On Tue, Oct 27, 2015 at 5:41 AM, Isuru Udana wrote: >>> Hi Aparna, We are using 4.3.1. Thanks. On Mon, Oct 26, 2015 at 10:36 AM, Aparna Karunarathna wrote: > Hi Kasun/Isuru, > > Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to > newer version? > > @Deep, Thanks for the clarification. > > Regards, > Aparna > > On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa > wrote: > >> Hi Aparna, >> >> This can happen when the client does not send the SNI[1][2] to the >> server side to select the proper HTTPS virtual host. In this case NGINX >> reverse proxy created in the vhost. Most of the modern browsers send SNI >> to >> server, therefore you will not observe this when you make the request >> via a >> modern browser. >> >> Most of the new Java HTTP client libraries also support SNI. As an >> example, Apache httpclient library support SNI from version 4.3.2 [3]. If >> you use a library which does not support SNI, you will get this error for >> HTTPS call going towards services hosted in virtual host environments. >> >> [1] https://en.wikipedia.org/wiki/Server_Name_Indication >> [2] https://www.ietf.org/rfc/rfc3546.txt >> [3] https://hc.apache.org/news.html >> >> On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna < >> apa...@wso2.com> wrote: >> >>> Hi all, >>> >>> I have encountered a weird "hostname in certificate didn't match:" >>> issue when accessing IS dashboard. My setup details are as follows. >>> >>> *Setup Details* >>> *IS cluster* >>> - 3 nodes cluster >>> - Hostname - mgt.is.wso2.com >>> - Certificate CN - mgt.is.wso2.com >>> >>> *BPS cluster* >>> - 2 nodes cluster (manager/worker) >>> - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com >>> - Certificate CN - *.bps.wso2.com >>> >>> * Both nodes are fronted by same Nginx plus load balancer. >>> >>> [1] >>> javax.net.ssl.SSLException: hostname in certificate didn't match: < >>> mgt.is.wso2.com> != <*.bps.wso2.com> >>> at >>> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) >>> at >>> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) >>> >>> >>> >>> When we check the browser cookie, it gave correct certificate. ( >>> mgt.is.wso2.com), but when we check it from java client[2] it gives >>> the bps certificate (*.bps.wso2.com) instead of IS. >>> >>> [2] >>> https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/ >>> >>> What is the reason for this? Is it my config issue or Nginx issue or >>> our product issue? >>> >>> -- >>> *Regards,* >>> >>> *Aparna Karunarathna.* >>> >>> >>> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 >>> <0714002533>* >>> >> >> >> >> -- >> Deependra Ariyadewa >> WSO2, Inc. http://wso2.com/ http://wso2.org >> >> email d...@wso2.com; cell +94 71 403 5996 ; >> Blog http://risenfall.wordpress.com/ >> PGP info: KeyID: 'DC627E6F' >> >> *WSO2 - Lean . Enterprise . Middleware* >> > > > > -- > *Regards,* > > *Aparna Karunarathna.* > > > *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* > -- *Isuru Udana* Associate Technical Lead WSO2 Inc.; http://wso2.com email: isu...@wso2.com cell: +94 77 3791887 blog: http://mytecheye.blogspot.com/ >>> >>> >>> >>> -- >>> *Regards,* >>> >>> *Aparna Karunarathna.* >>> >>> >>> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* >>> >> >> >> >> -- >> *Isuru Udana
Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard
Hi Aprana, I am getting the same issue while accessing APIM distributed cluster nodes fronted through loadbalancer(nginx) instance. Did you able to solve this issue ? If so how did you solve it ? Regards, Malintha On Wed, Oct 28, 2015 at 2:09 PM, Isuru Udana wrote: > Hi Aparna, > > Bundles are coming from features, whatever version defined in the product > pom have no relationship for that. > > Thanks. > > On Wed, Oct 28, 2015 at 11:20 AM, Aparna Karunarathna > wrote: > >> Hi Isuru, >> >> I checked version from the ESB master branch pom[1]. >> >> 4.1.2 >> >> [1] https://github.com/wso2/product-esb/blob/master/pom.xml >> >> Regards, >> Aparna. >> >> On Tue, Oct 27, 2015 at 5:41 AM, Isuru Udana wrote: >> >>> Hi Aparna, >>> >>> We are using 4.3.1. >>> >>> >>> Thanks. >>> >>> On Mon, Oct 26, 2015 at 10:36 AM, Aparna Karunarathna >>> wrote: >>> Hi Kasun/Isuru, Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to newer version? @Deep, Thanks for the clarification. Regards, Aparna On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa wrote: > Hi Aparna, > > This can happen when the client does not send the SNI[1][2] to the > server side to select the proper HTTPS virtual host. In this case NGINX > reverse proxy created in the vhost. Most of the modern browsers send SNI > to > server, therefore you will not observe this when you make the request via > a > modern browser. > > Most of the new Java HTTP client libraries also support SNI. As an > example, Apache httpclient library support SNI from version 4.3.2 [3]. If > you use a library which does not support SNI, you will get this error for > HTTPS call going towards services hosted in virtual host environments. > > [1] https://en.wikipedia.org/wiki/Server_Name_Indication > [2] https://www.ietf.org/rfc/rfc3546.txt > [3] https://hc.apache.org/news.html > > On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna > wrote: > >> Hi all, >> >> I have encountered a weird "hostname in certificate didn't match:" >> issue when accessing IS dashboard. My setup details are as follows. >> >> *Setup Details* >> *IS cluster* >> - 3 nodes cluster >> - Hostname - mgt.is.wso2.com >> - Certificate CN - mgt.is.wso2.com >> >> *BPS cluster* >> - 2 nodes cluster (manager/worker) >> - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com >> - Certificate CN - *.bps.wso2.com >> >> * Both nodes are fronted by same Nginx plus load balancer. >> >> [1] >> javax.net.ssl.SSLException: hostname in certificate didn't match: < >> mgt.is.wso2.com> != <*.bps.wso2.com> >> at >> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) >> at >> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) >> >> >> >> When we check the browser cookie, it gave correct certificate. ( >> mgt.is.wso2.com), but when we check it from java client[2] it gives >> the bps certificate (*.bps.wso2.com) instead of IS. >> >> [2] >> https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/ >> >> What is the reason for this? Is it my config issue or Nginx issue or >> our product issue? >> >> -- >> *Regards,* >> >> *Aparna Karunarathna.* >> >> >> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 >> <0714002533>* >> > > > > -- > Deependra Ariyadewa > WSO2, Inc. http://wso2.com/ http://wso2.org > > email d...@wso2.com; cell +94 71 403 5996 ; > Blog http://risenfall.wordpress.com/ > PGP info: KeyID: 'DC627E6F' > > *WSO2 - Lean . Enterprise . Middleware* > -- *Regards,* *Aparna Karunarathna.* *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* >>> >>> >>> >>> -- >>> *Isuru Udana* >>> Associate Technical Lead >>> WSO2 Inc.; http://wso2.com >>> email: isu...@wso2.com cell: +94 77 3791887 >>> blog: http://mytecheye.blogspot.com/ >>> >> >> >> >> -- >> *Regards,* >> >> *Aparna Karunarathna.* >> >> >> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* >> > > > > -- > *Isuru Udana* > Associate Technical Lead > WSO2 Inc.; http://wso2.com > email: isu...@wso2.com cell: +94 77 3791887 > blog: http://mytecheye.blogspot.com/ > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Malintha Adikari* Software Engineer WSO2 Inc.; http://wso2.com lean.enterprise.middleware Mobile: +94 71 2312958 Blog:http://malinthas.blogspot.com Page: http://about.me/malintha __
Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard
Hi Aparna, Bundles are coming from features, whatever version defined in the product pom have no relationship for that. Thanks. On Wed, Oct 28, 2015 at 11:20 AM, Aparna Karunarathna wrote: > Hi Isuru, > > I checked version from the ESB master branch pom[1]. > > 4.1.2 > > [1] https://github.com/wso2/product-esb/blob/master/pom.xml > > Regards, > Aparna. > > On Tue, Oct 27, 2015 at 5:41 AM, Isuru Udana wrote: > >> Hi Aparna, >> >> We are using 4.3.1. >> >> >> Thanks. >> >> On Mon, Oct 26, 2015 at 10:36 AM, Aparna Karunarathna >> wrote: >> >>> Hi Kasun/Isuru, >>> >>> Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to >>> newer version? >>> >>> @Deep, Thanks for the clarification. >>> >>> Regards, >>> Aparna >>> >>> On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa >>> wrote: >>> Hi Aparna, This can happen when the client does not send the SNI[1][2] to the server side to select the proper HTTPS virtual host. In this case NGINX reverse proxy created in the vhost. Most of the modern browsers send SNI to server, therefore you will not observe this when you make the request via a modern browser. Most of the new Java HTTP client libraries also support SNI. As an example, Apache httpclient library support SNI from version 4.3.2 [3]. If you use a library which does not support SNI, you will get this error for HTTPS call going towards services hosted in virtual host environments. [1] https://en.wikipedia.org/wiki/Server_Name_Indication [2] https://www.ietf.org/rfc/rfc3546.txt [3] https://hc.apache.org/news.html On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna wrote: > Hi all, > > I have encountered a weird "hostname in certificate didn't match:" > issue when accessing IS dashboard. My setup details are as follows. > > *Setup Details* > *IS cluster* > - 3 nodes cluster > - Hostname - mgt.is.wso2.com > - Certificate CN - mgt.is.wso2.com > > *BPS cluster* > - 2 nodes cluster (manager/worker) > - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com > - Certificate CN - *.bps.wso2.com > > * Both nodes are fronted by same Nginx plus load balancer. > > [1] > javax.net.ssl.SSLException: hostname in certificate didn't match: < > mgt.is.wso2.com> != <*.bps.wso2.com> > at > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) > at > org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) > > > > When we check the browser cookie, it gave correct certificate. ( > mgt.is.wso2.com), but when we check it from java client[2] it gives > the bps certificate (*.bps.wso2.com) instead of IS. > > [2] > https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/ > > What is the reason for this? Is it my config issue or Nginx issue or > our product issue? > > -- > *Regards,* > > *Aparna Karunarathna.* > > > *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* > -- Deependra Ariyadewa WSO2, Inc. http://wso2.com/ http://wso2.org email d...@wso2.com; cell +94 71 403 5996 ; Blog http://risenfall.wordpress.com/ PGP info: KeyID: 'DC627E6F' *WSO2 - Lean . Enterprise . Middleware* >>> >>> >>> >>> -- >>> *Regards,* >>> >>> *Aparna Karunarathna.* >>> >>> >>> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* >>> >> >> >> >> -- >> *Isuru Udana* >> Associate Technical Lead >> WSO2 Inc.; http://wso2.com >> email: isu...@wso2.com cell: +94 77 3791887 >> blog: http://mytecheye.blogspot.com/ >> > > > > -- > *Regards,* > > *Aparna Karunarathna.* > > > *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* > -- *Isuru Udana* Associate Technical Lead WSO2 Inc.; http://wso2.com email: isu...@wso2.com cell: +94 77 3791887 blog: http://mytecheye.blogspot.com/ ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard
Hi Isuru, I checked version from the ESB master branch pom[1]. 4.1.2 [1] https://github.com/wso2/product-esb/blob/master/pom.xml Regards, Aparna. On Tue, Oct 27, 2015 at 5:41 AM, Isuru Udana wrote: > Hi Aparna, > > We are using 4.3.1. > > > Thanks. > > On Mon, Oct 26, 2015 at 10:36 AM, Aparna Karunarathna > wrote: > >> Hi Kasun/Isuru, >> >> Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to newer >> version? >> >> @Deep, Thanks for the clarification. >> >> Regards, >> Aparna >> >> On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa >> wrote: >> >>> Hi Aparna, >>> >>> This can happen when the client does not send the SNI[1][2] to the >>> server side to select the proper HTTPS virtual host. In this case NGINX >>> reverse proxy created in the vhost. Most of the modern browsers send SNI to >>> server, therefore you will not observe this when you make the request via a >>> modern browser. >>> >>> Most of the new Java HTTP client libraries also support SNI. As an >>> example, Apache httpclient library support SNI from version 4.3.2 [3]. If >>> you use a library which does not support SNI, you will get this error for >>> HTTPS call going towards services hosted in virtual host environments. >>> >>> [1] https://en.wikipedia.org/wiki/Server_Name_Indication >>> [2] https://www.ietf.org/rfc/rfc3546.txt >>> [3] https://hc.apache.org/news.html >>> >>> On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna >>> wrote: >>> Hi all, I have encountered a weird "hostname in certificate didn't match:" issue when accessing IS dashboard. My setup details are as follows. *Setup Details* *IS cluster* - 3 nodes cluster - Hostname - mgt.is.wso2.com - Certificate CN - mgt.is.wso2.com *BPS cluster* - 2 nodes cluster (manager/worker) - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com - Certificate CN - *.bps.wso2.com * Both nodes are fronted by same Nginx plus load balancer. [1] javax.net.ssl.SSLException: hostname in certificate didn't match: < mgt.is.wso2.com> != <*.bps.wso2.com> at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) When we check the browser cookie, it gave correct certificate. ( mgt.is.wso2.com), but when we check it from java client[2] it gives the bps certificate (*.bps.wso2.com) instead of IS. [2] https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/ What is the reason for this? Is it my config issue or Nginx issue or our product issue? -- *Regards,* *Aparna Karunarathna.* *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* >>> >>> >>> >>> -- >>> Deependra Ariyadewa >>> WSO2, Inc. http://wso2.com/ http://wso2.org >>> >>> email d...@wso2.com; cell +94 71 403 5996 ; >>> Blog http://risenfall.wordpress.com/ >>> PGP info: KeyID: 'DC627E6F' >>> >>> *WSO2 - Lean . Enterprise . Middleware* >>> >> >> >> >> -- >> *Regards,* >> >> *Aparna Karunarathna.* >> >> >> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* >> > > > > -- > *Isuru Udana* > Associate Technical Lead > WSO2 Inc.; http://wso2.com > email: isu...@wso2.com cell: +94 77 3791887 > blog: http://mytecheye.blogspot.com/ > -- *Regards,* *Aparna Karunarathna.* *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard
Hi Aparna, We are using 4.3.1. Thanks. On Mon, Oct 26, 2015 at 10:36 AM, Aparna Karunarathna wrote: > Hi Kasun/Isuru, > > Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to newer > version? > > @Deep, Thanks for the clarification. > > Regards, > Aparna > > On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa > wrote: > >> Hi Aparna, >> >> This can happen when the client does not send the SNI[1][2] to the server >> side to select the proper HTTPS virtual host. In this case NGINX reverse >> proxy created in the vhost. Most of the modern browsers send SNI to server, >> therefore you will not observe this when you make the request via a modern >> browser. >> >> Most of the new Java HTTP client libraries also support SNI. As an >> example, Apache httpclient library support SNI from version 4.3.2 [3]. If >> you use a library which does not support SNI, you will get this error for >> HTTPS call going towards services hosted in virtual host environments. >> >> [1] https://en.wikipedia.org/wiki/Server_Name_Indication >> [2] https://www.ietf.org/rfc/rfc3546.txt >> [3] https://hc.apache.org/news.html >> >> On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna >> wrote: >> >>> Hi all, >>> >>> I have encountered a weird "hostname in certificate didn't match:" issue >>> when accessing IS dashboard. My setup details are as follows. >>> >>> *Setup Details* >>> *IS cluster* >>> - 3 nodes cluster >>> - Hostname - mgt.is.wso2.com >>> - Certificate CN - mgt.is.wso2.com >>> >>> *BPS cluster* >>> - 2 nodes cluster (manager/worker) >>> - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com >>> - Certificate CN - *.bps.wso2.com >>> >>> * Both nodes are fronted by same Nginx plus load balancer. >>> >>> [1] >>> javax.net.ssl.SSLException: hostname in certificate didn't match: < >>> mgt.is.wso2.com> != <*.bps.wso2.com> >>> at >>> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) >>> at >>> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) >>> >>> >>> >>> When we check the browser cookie, it gave correct certificate. ( >>> mgt.is.wso2.com), but when we check it from java client[2] it gives the >>> bps certificate (*.bps.wso2.com) instead of IS. >>> >>> [2] >>> https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/ >>> >>> What is the reason for this? Is it my config issue or Nginx issue or our >>> product issue? >>> >>> -- >>> *Regards,* >>> >>> *Aparna Karunarathna.* >>> >>> >>> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* >>> >> >> >> >> -- >> Deependra Ariyadewa >> WSO2, Inc. http://wso2.com/ http://wso2.org >> >> email d...@wso2.com; cell +94 71 403 5996 ; >> Blog http://risenfall.wordpress.com/ >> PGP info: KeyID: 'DC627E6F' >> >> *WSO2 - Lean . Enterprise . Middleware* >> > > > > -- > *Regards,* > > *Aparna Karunarathna.* > > > *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* > -- *Isuru Udana* Associate Technical Lead WSO2 Inc.; http://wso2.com email: isu...@wso2.com cell: +94 77 3791887 blog: http://mytecheye.blogspot.com/ ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard
Hi Kasun/Isuru, Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to newer version? @Deep, Thanks for the clarification. Regards, Aparna On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa wrote: > Hi Aparna, > > This can happen when the client does not send the SNI[1][2] to the server > side to select the proper HTTPS virtual host. In this case NGINX reverse > proxy created in the vhost. Most of the modern browsers send SNI to server, > therefore you will not observe this when you make the request via a modern > browser. > > Most of the new Java HTTP client libraries also support SNI. As an > example, Apache httpclient library support SNI from version 4.3.2 [3]. If > you use a library which does not support SNI, you will get this error for > HTTPS call going towards services hosted in virtual host environments. > > [1] https://en.wikipedia.org/wiki/Server_Name_Indication > [2] https://www.ietf.org/rfc/rfc3546.txt > [3] https://hc.apache.org/news.html > > On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna > wrote: > >> Hi all, >> >> I have encountered a weird "hostname in certificate didn't match:" issue >> when accessing IS dashboard. My setup details are as follows. >> >> *Setup Details* >> *IS cluster* >> - 3 nodes cluster >> - Hostname - mgt.is.wso2.com >> - Certificate CN - mgt.is.wso2.com >> >> *BPS cluster* >> - 2 nodes cluster (manager/worker) >> - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com >> - Certificate CN - *.bps.wso2.com >> >> * Both nodes are fronted by same Nginx plus load balancer. >> >> [1] >> javax.net.ssl.SSLException: hostname in certificate didn't match: < >> mgt.is.wso2.com> != <*.bps.wso2.com> >> at >> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) >> at >> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) >> >> >> >> When we check the browser cookie, it gave correct certificate. ( >> mgt.is.wso2.com), but when we check it from java client[2] it gives the >> bps certificate (*.bps.wso2.com) instead of IS. >> >> [2] >> https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/ >> >> What is the reason for this? Is it my config issue or Nginx issue or our >> product issue? >> >> -- >> *Regards,* >> >> *Aparna Karunarathna.* >> >> >> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* >> > > > > -- > Deependra Ariyadewa > WSO2, Inc. http://wso2.com/ http://wso2.org > > email d...@wso2.com; cell +94 71 403 5996 ; > Blog http://risenfall.wordpress.com/ > PGP info: KeyID: 'DC627E6F' > > *WSO2 - Lean . Enterprise . Middleware* > -- *Regards,* *Aparna Karunarathna.* *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard
Hi Aparna, This can happen when the client does not send the SNI[1][2] to the server side to select the proper HTTPS virtual host. In this case NGINX reverse proxy created in the vhost. Most of the modern browsers send SNI to server, therefore you will not observe this when you make the request via a modern browser. Most of the new Java HTTP client libraries also support SNI. As an example, Apache httpclient library support SNI from version 4.3.2 [3]. If you use a library which does not support SNI, you will get this error for HTTPS call going towards services hosted in virtual host environments. [1] https://en.wikipedia.org/wiki/Server_Name_Indication [2] https://www.ietf.org/rfc/rfc3546.txt [3] https://hc.apache.org/news.html On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna wrote: > Hi all, > > I have encountered a weird "hostname in certificate didn't match:" issue > when accessing IS dashboard. My setup details are as follows. > > *Setup Details* > *IS cluster* > - 3 nodes cluster > - Hostname - mgt.is.wso2.com > - Certificate CN - mgt.is.wso2.com > > *BPS cluster* > - 2 nodes cluster (manager/worker) > - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com > - Certificate CN - *.bps.wso2.com > > * Both nodes are fronted by same Nginx plus load balancer. > > [1] > javax.net.ssl.SSLException: hostname in certificate didn't match: < > mgt.is.wso2.com> != <*.bps.wso2.com> > at > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) > at > org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) > > > > When we check the browser cookie, it gave correct certificate. ( > mgt.is.wso2.com), but when we check it from java client[2] it gives the > bps certificate (*.bps.wso2.com) instead of IS. > > [2] > https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/ > > What is the reason for this? Is it my config issue or Nginx issue or our > product issue? > > -- > *Regards,* > > *Aparna Karunarathna.* > > > *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* > -- Deependra Ariyadewa WSO2, Inc. http://wso2.com/ http://wso2.org email d...@wso2.com; cell +94 71 403 5996 ; Blog http://risenfall.wordpress.com/ PGP info: KeyID: 'DC627E6F' *WSO2 - Lean . Enterprise . Middleware* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard
Hi all, I have encountered a weird "hostname in certificate didn't match:" issue when accessing IS dashboard. My setup details are as follows. *Setup Details* *IS cluster* - 3 nodes cluster - Hostname - mgt.is.wso2.com - Certificate CN - mgt.is.wso2.com *BPS cluster* - 2 nodes cluster (manager/worker) - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com - Certificate CN - *.bps.wso2.com * Both nodes are fronted by same Nginx plus load balancer. [1] javax.net.ssl.SSLException: hostname in certificate didn't match: < mgt.is.wso2.com> != <*.bps.wso2.com> at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) When we check the browser cookie, it gave correct certificate. ( mgt.is.wso2.com), but when we check it from java client[2] it gives the bps certificate (*.bps.wso2.com) instead of IS. [2] https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/ What is the reason for this? Is it my config issue or Nginx issue or our product issue? -- *Regards,* *Aparna Karunarathna.* *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev