Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard

2015-11-23 Thread Dilshan Edirisuriya
Sorry the other thread is [1]

[1] - [Clarification](EONPROD-24) Accessing webpage via WSO2 ESB not
possbile - handshake error

On Mon, Nov 23, 2015 at 2:29 PM, Dilshan Edirisuriya 
wrote:

> Hi Aparna,
>
> It seems that the same issue occurring at [1].
>
> [1] - [Dev][IS] "hostname in certificate didn't match:" issue when
> accessing IS dashboard
>
> Regards,
>
> Dilshan
>
> On Fri, Nov 20, 2015 at 11:38 AM, Aparna Karunarathna 
> wrote:
>
>> Actually I have used another Nginx to resolve my issue, not a permanent
>> solution. AFAIU this is getting due to httpclient 4.3.1 doesn't support
>> SNI.
>>
>> @IsuruU, Shouldn't it upgrade to httpclient 4.3.2 ?
>>
>> Regards,
>> Aparna.
>>
>>
>> On Fri, Nov 20, 2015 at 11:24 AM, Malintha Adikari 
>> wrote:
>>
>>> Hi Aprana,
>>>
>>> I am getting the same issue while accessing APIM distributed cluster
>>> nodes fronted through loadbalancer(nginx) instance. Did you able to solve
>>> this issue ? If so how did you solve it ?
>>>
>>> Regards,
>>> Malintha
>>>
>>> On Wed, Oct 28, 2015 at 2:09 PM, Isuru Udana  wrote:
>>>
 Hi Aparna,

 Bundles are coming from features, whatever version defined in the
 product pom have no relationship for that.

  Thanks.

 On Wed, Oct 28, 2015 at 11:20 AM, Aparna Karunarathna 
 wrote:

> Hi Isuru,
>
> I checked version from the ESB master branch pom[1].
>
> 4.1.2
>
> [1] https://github.com/wso2/product-esb/blob/master/pom.xml
>
> Regards,
> Aparna.
>
> On Tue, Oct 27, 2015 at 5:41 AM, Isuru Udana  wrote:
>
>> Hi Aparna,
>>
>> We are using 4.3.1.
>>
>>
>> Thanks.
>>
>> On Mon, Oct 26, 2015 at 10:36 AM, Aparna Karunarathna <
>> apa...@wso2.com> wrote:
>>
>>> Hi Kasun/Isuru,
>>>
>>> Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to
>>> newer version?
>>>
>>> @Deep, Thanks for the clarification.
>>>
>>> Regards,
>>> Aparna
>>>
>>> On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa >> > wrote:
>>>
 Hi Aparna,

 This can happen when the client does not send the SNI[1][2] to the
 server side to select the proper HTTPS virtual host. In this case NGINX
 reverse proxy created in the vhost. Most of the modern browsers send 
 SNI to
 server, therefore you will not observe this when you make the request 
 via a
 modern browser.

 Most of the new Java HTTP client libraries also support SNI. As an
 example, Apache httpclient library support SNI from version 4.3.2 [3]. 
 If
 you use a library which does not support SNI, you will get this error 
 for
 HTTPS call going towards services hosted in virtual host environments.

 [1] https://en.wikipedia.org/wiki/Server_Name_Indication
 [2] https://www.ietf.org/rfc/rfc3546.txt
 [3] https://hc.apache.org/news.html

 On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna <
 apa...@wso2.com> wrote:

> Hi all,
>
> I have encountered a weird "hostname in certificate didn't match:"
> issue when accessing IS dashboard. My setup details are as follows.
>
> *Setup Details*
> *IS cluster*
> - 3 nodes cluster
> - Hostname - mgt.is.wso2.com
> - Certificate CN - mgt.is.wso2.com
>
> *BPS cluster*
> - 2 nodes cluster (manager/worker)
> - Hostnames - Manager - mgt.bps.wso2.com / Worker -
> wrk.bps.wso2.com
> - Certificate CN - *.bps.wso2.com
>
> * Both nodes are fronted by same Nginx plus load balancer.
>
> [1]
> javax.net.ssl.SSLException: hostname in certificate didn't match: <
> mgt.is.wso2.com> != <*.bps.wso2.com>
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238)
> at
> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
> 
> 
>
> When we check the browser cookie, it gave correct certificate. (
> mgt.is.wso2.com), but when we check it from java client[2] it
> gives the bps certificate (*.bps.wso2.com) instead of IS.
>
> [2]
> https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/
>
> What is the reason for this? Is it my config issue or Nginx issue
> or our product issue?
>
> --
> *Regards,*
>
> *Aparna Karunarathna.*
>
>
> *Associate Technical Lead - QAWSO2 Inc.Mobile: 

Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard

2015-11-23 Thread Dilshan Edirisuriya
Hi Aparna,

It seems that the same issue occurring at [1].

[1] - [Dev][IS] "hostname in certificate didn't match:" issue when
accessing IS dashboard

Regards,

Dilshan

On Fri, Nov 20, 2015 at 11:38 AM, Aparna Karunarathna 
wrote:

> Actually I have used another Nginx to resolve my issue, not a permanent
> solution. AFAIU this is getting due to httpclient 4.3.1 doesn't support
> SNI.
>
> @IsuruU, Shouldn't it upgrade to httpclient 4.3.2 ?
>
> Regards,
> Aparna.
>
>
> On Fri, Nov 20, 2015 at 11:24 AM, Malintha Adikari 
> wrote:
>
>> Hi Aprana,
>>
>> I am getting the same issue while accessing APIM distributed cluster
>> nodes fronted through loadbalancer(nginx) instance. Did you able to solve
>> this issue ? If so how did you solve it ?
>>
>> Regards,
>> Malintha
>>
>> On Wed, Oct 28, 2015 at 2:09 PM, Isuru Udana  wrote:
>>
>>> Hi Aparna,
>>>
>>> Bundles are coming from features, whatever version defined in the
>>> product pom have no relationship for that.
>>>
>>>  Thanks.
>>>
>>> On Wed, Oct 28, 2015 at 11:20 AM, Aparna Karunarathna 
>>> wrote:
>>>
 Hi Isuru,

 I checked version from the ESB master branch pom[1].

 4.1.2

 [1] https://github.com/wso2/product-esb/blob/master/pom.xml

 Regards,
 Aparna.

 On Tue, Oct 27, 2015 at 5:41 AM, Isuru Udana  wrote:

> Hi Aparna,
>
> We are using 4.3.1.
>
>
> Thanks.
>
> On Mon, Oct 26, 2015 at 10:36 AM, Aparna Karunarathna  > wrote:
>
>> Hi Kasun/Isuru,
>>
>> Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to
>> newer version?
>>
>> @Deep, Thanks for the clarification.
>>
>> Regards,
>> Aparna
>>
>> On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa 
>> wrote:
>>
>>> Hi Aparna,
>>>
>>> This can happen when the client does not send the SNI[1][2] to the
>>> server side to select the proper HTTPS virtual host. In this case NGINX
>>> reverse proxy created in the vhost. Most of the modern browsers send 
>>> SNI to
>>> server, therefore you will not observe this when you make the request 
>>> via a
>>> modern browser.
>>>
>>> Most of the new Java HTTP client libraries also support SNI. As an
>>> example, Apache httpclient library support SNI from version 4.3.2 [3]. 
>>> If
>>> you use a library which does not support SNI, you will get this error 
>>> for
>>> HTTPS call going towards services hosted in virtual host environments.
>>>
>>> [1] https://en.wikipedia.org/wiki/Server_Name_Indication
>>> [2] https://www.ietf.org/rfc/rfc3546.txt
>>> [3] https://hc.apache.org/news.html
>>>
>>> On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna <
>>> apa...@wso2.com> wrote:
>>>
 Hi all,

 I have encountered a weird "hostname in certificate didn't match:"
 issue when accessing IS dashboard. My setup details are as follows.

 *Setup Details*
 *IS cluster*
 - 3 nodes cluster
 - Hostname - mgt.is.wso2.com
 - Certificate CN - mgt.is.wso2.com

 *BPS cluster*
 - 2 nodes cluster (manager/worker)
 - Hostnames - Manager - mgt.bps.wso2.com / Worker -
 wrk.bps.wso2.com
 - Certificate CN - *.bps.wso2.com

 * Both nodes are fronted by same Nginx plus load balancer.

 [1]
 javax.net.ssl.SSLException: hostname in certificate didn't match: <
 mgt.is.wso2.com> != <*.bps.wso2.com>
 at
 org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238)
 at
 org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
 
 

 When we check the browser cookie, it gave correct certificate. (
 mgt.is.wso2.com), but when we check it from java client[2] it
 gives the bps certificate (*.bps.wso2.com) instead of IS.

 [2]
 https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/

 What is the reason for this? Is it my config issue or Nginx issue
 or our product issue?

 --
 *Regards,*

 *Aparna Karunarathna.*


 *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533
 <0714002533>*

>>>
>>>
>>>
>>> --
>>> Deependra Ariyadewa
>>> WSO2, Inc. http://wso2.com/ http://wso2.org
>>>
>>> email d...@wso2.com; cell +94 71 403 5996 ;
>>> Blog http://risenfall.wordpress.com/
>>> PGP info: KeyID: 'DC627E6F'
>>>
>>> *WSO2 - Lean . Enterprise . Middleware*
>>>
>>
>>

Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard

2015-11-19 Thread Malintha Adikari
Hi Aprana,

I am getting the same issue while accessing APIM distributed cluster nodes
fronted through loadbalancer(nginx) instance. Did you able to solve this
issue ? If so how did you solve it ?

Regards,
Malintha

On Wed, Oct 28, 2015 at 2:09 PM, Isuru Udana  wrote:

> Hi Aparna,
>
> Bundles are coming from features, whatever version defined in the product
> pom have no relationship for that.
>
>  Thanks.
>
> On Wed, Oct 28, 2015 at 11:20 AM, Aparna Karunarathna 
> wrote:
>
>> Hi Isuru,
>>
>> I checked version from the ESB master branch pom[1].
>>
>> 4.1.2
>>
>> [1] https://github.com/wso2/product-esb/blob/master/pom.xml
>>
>> Regards,
>> Aparna.
>>
>> On Tue, Oct 27, 2015 at 5:41 AM, Isuru Udana  wrote:
>>
>>> Hi Aparna,
>>>
>>> We are using 4.3.1.
>>>
>>>
>>> Thanks.
>>>
>>> On Mon, Oct 26, 2015 at 10:36 AM, Aparna Karunarathna 
>>> wrote:
>>>
 Hi Kasun/Isuru,

 Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to
 newer version?

 @Deep, Thanks for the clarification.

 Regards,
 Aparna

 On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa 
 wrote:

> Hi Aparna,
>
> This can happen when the client does not send the SNI[1][2] to the
> server side to select the proper HTTPS virtual host. In this case NGINX
> reverse proxy created in the vhost. Most of the modern browsers send SNI 
> to
> server, therefore you will not observe this when you make the request via 
> a
> modern browser.
>
> Most of the new Java HTTP client libraries also support SNI. As an
> example, Apache httpclient library support SNI from version 4.3.2 [3]. If
> you use a library which does not support SNI, you will get this error for
> HTTPS call going towards services hosted in virtual host environments.
>
> [1] https://en.wikipedia.org/wiki/Server_Name_Indication
> [2] https://www.ietf.org/rfc/rfc3546.txt
> [3] https://hc.apache.org/news.html
>
> On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna  > wrote:
>
>> Hi all,
>>
>> I have encountered a weird "hostname in certificate didn't match:"
>> issue when accessing IS dashboard. My setup details are as follows.
>>
>> *Setup Details*
>> *IS cluster*
>> - 3 nodes cluster
>> - Hostname - mgt.is.wso2.com
>> - Certificate CN - mgt.is.wso2.com
>>
>> *BPS cluster*
>> - 2 nodes cluster (manager/worker)
>> - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com
>> - Certificate CN - *.bps.wso2.com
>>
>> * Both nodes are fronted by same Nginx plus load balancer.
>>
>> [1]
>> javax.net.ssl.SSLException: hostname in certificate didn't match: <
>> mgt.is.wso2.com> != <*.bps.wso2.com>
>> at
>> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238)
>> at
>> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
>> 
>> 
>>
>> When we check the browser cookie, it gave correct certificate. (
>> mgt.is.wso2.com), but when we check it from java client[2] it gives
>> the bps certificate (*.bps.wso2.com) instead of IS.
>>
>> [2]
>> https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/
>>
>> What is the reason for this? Is it my config issue or Nginx issue or
>> our product issue?
>>
>> --
>> *Regards,*
>>
>> *Aparna Karunarathna.*
>>
>>
>> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533
>> <0714002533>*
>>
>
>
>
> --
> Deependra Ariyadewa
> WSO2, Inc. http://wso2.com/ http://wso2.org
>
> email d...@wso2.com; cell +94 71 403 5996 ;
> Blog http://risenfall.wordpress.com/
> PGP info: KeyID: 'DC627E6F'
>
> *WSO2 - Lean . Enterprise . Middleware*
>



 --
 *Regards,*

 *Aparna Karunarathna.*


 *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>*

>>>
>>>
>>>
>>> --
>>> *Isuru Udana*
>>> Associate Technical Lead
>>> WSO2 Inc.; http://wso2.com
>>> email: isu...@wso2.com cell: +94 77 3791887
>>> blog: http://mytecheye.blogspot.com/
>>>
>>
>>
>>
>> --
>> *Regards,*
>>
>> *Aparna Karunarathna.*
>>
>>
>> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>*
>>
>
>
>
> --
> *Isuru Udana*
> Associate Technical Lead
> WSO2 Inc.; http://wso2.com
> email: isu...@wso2.com cell: +94 77 3791887
> blog: http://mytecheye.blogspot.com/
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
*Malintha Adikari*
Software Engineer
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware


Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard

2015-11-19 Thread Aparna Karunarathna
Actually I have used another Nginx to resolve my issue, not a permanent
solution. AFAIU this is getting due to httpclient 4.3.1 doesn't support
SNI.

@IsuruU, Shouldn't it upgrade to httpclient 4.3.2 ?

Regards,
Aparna.


On Fri, Nov 20, 2015 at 11:24 AM, Malintha Adikari 
wrote:

> Hi Aprana,
>
> I am getting the same issue while accessing APIM distributed cluster nodes
> fronted through loadbalancer(nginx) instance. Did you able to solve this
> issue ? If so how did you solve it ?
>
> Regards,
> Malintha
>
> On Wed, Oct 28, 2015 at 2:09 PM, Isuru Udana  wrote:
>
>> Hi Aparna,
>>
>> Bundles are coming from features, whatever version defined in the product
>> pom have no relationship for that.
>>
>>  Thanks.
>>
>> On Wed, Oct 28, 2015 at 11:20 AM, Aparna Karunarathna 
>> wrote:
>>
>>> Hi Isuru,
>>>
>>> I checked version from the ESB master branch pom[1].
>>>
>>> 4.1.2
>>>
>>> [1] https://github.com/wso2/product-esb/blob/master/pom.xml
>>>
>>> Regards,
>>> Aparna.
>>>
>>> On Tue, Oct 27, 2015 at 5:41 AM, Isuru Udana  wrote:
>>>
 Hi Aparna,

 We are using 4.3.1.


 Thanks.

 On Mon, Oct 26, 2015 at 10:36 AM, Aparna Karunarathna 
 wrote:

> Hi Kasun/Isuru,
>
> Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to
> newer version?
>
> @Deep, Thanks for the clarification.
>
> Regards,
> Aparna
>
> On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa 
> wrote:
>
>> Hi Aparna,
>>
>> This can happen when the client does not send the SNI[1][2] to the
>> server side to select the proper HTTPS virtual host. In this case NGINX
>> reverse proxy created in the vhost. Most of the modern browsers send SNI 
>> to
>> server, therefore you will not observe this when you make the request 
>> via a
>> modern browser.
>>
>> Most of the new Java HTTP client libraries also support SNI. As an
>> example, Apache httpclient library support SNI from version 4.3.2 [3]. If
>> you use a library which does not support SNI, you will get this error for
>> HTTPS call going towards services hosted in virtual host environments.
>>
>> [1] https://en.wikipedia.org/wiki/Server_Name_Indication
>> [2] https://www.ietf.org/rfc/rfc3546.txt
>> [3] https://hc.apache.org/news.html
>>
>> On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna <
>> apa...@wso2.com> wrote:
>>
>>> Hi all,
>>>
>>> I have encountered a weird "hostname in certificate didn't match:"
>>> issue when accessing IS dashboard. My setup details are as follows.
>>>
>>> *Setup Details*
>>> *IS cluster*
>>> - 3 nodes cluster
>>> - Hostname - mgt.is.wso2.com
>>> - Certificate CN - mgt.is.wso2.com
>>>
>>> *BPS cluster*
>>> - 2 nodes cluster (manager/worker)
>>> - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com
>>> - Certificate CN - *.bps.wso2.com
>>>
>>> * Both nodes are fronted by same Nginx plus load balancer.
>>>
>>> [1]
>>> javax.net.ssl.SSLException: hostname in certificate didn't match: <
>>> mgt.is.wso2.com> != <*.bps.wso2.com>
>>> at
>>> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238)
>>> at
>>> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
>>> 
>>> 
>>>
>>> When we check the browser cookie, it gave correct certificate. (
>>> mgt.is.wso2.com), but when we check it from java client[2] it gives
>>> the bps certificate (*.bps.wso2.com) instead of IS.
>>>
>>> [2]
>>> https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/
>>>
>>> What is the reason for this? Is it my config issue or Nginx issue or
>>> our product issue?
>>>
>>> --
>>> *Regards,*
>>>
>>> *Aparna Karunarathna.*
>>>
>>>
>>> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533
>>> <0714002533>*
>>>
>>
>>
>>
>> --
>> Deependra Ariyadewa
>> WSO2, Inc. http://wso2.com/ http://wso2.org
>>
>> email d...@wso2.com; cell +94 71 403 5996 ;
>> Blog http://risenfall.wordpress.com/
>> PGP info: KeyID: 'DC627E6F'
>>
>> *WSO2 - Lean . Enterprise . Middleware*
>>
>
>
>
> --
> *Regards,*
>
> *Aparna Karunarathna.*
>
>
> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>*
>



 --
 *Isuru Udana*
 Associate Technical Lead
 WSO2 Inc.; http://wso2.com
 email: isu...@wso2.com cell: +94 77 3791887
 blog: http://mytecheye.blogspot.com/

>>>
>>>
>>>
>>> --
>>> *Regards,*
>>>
>>> *Aparna Karunarathna.*
>>>
>>>
>>> 

Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard

2015-10-28 Thread Isuru Udana
Hi Aparna,

Bundles are coming from features, whatever version defined in the product
pom have no relationship for that.

 Thanks.

On Wed, Oct 28, 2015 at 11:20 AM, Aparna Karunarathna 
wrote:

> Hi Isuru,
>
> I checked version from the ESB master branch pom[1].
>
> 4.1.2
>
> [1] https://github.com/wso2/product-esb/blob/master/pom.xml
>
> Regards,
> Aparna.
>
> On Tue, Oct 27, 2015 at 5:41 AM, Isuru Udana  wrote:
>
>> Hi Aparna,
>>
>> We are using 4.3.1.
>>
>>
>> Thanks.
>>
>> On Mon, Oct 26, 2015 at 10:36 AM, Aparna Karunarathna 
>> wrote:
>>
>>> Hi Kasun/Isuru,
>>>
>>> Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to
>>> newer version?
>>>
>>> @Deep, Thanks for the clarification.
>>>
>>> Regards,
>>> Aparna
>>>
>>> On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa 
>>> wrote:
>>>
 Hi Aparna,

 This can happen when the client does not send the SNI[1][2] to the
 server side to select the proper HTTPS virtual host. In this case NGINX
 reverse proxy created in the vhost. Most of the modern browsers send SNI to
 server, therefore you will not observe this when you make the request via a
 modern browser.

 Most of the new Java HTTP client libraries also support SNI. As an
 example, Apache httpclient library support SNI from version 4.3.2 [3]. If
 you use a library which does not support SNI, you will get this error for
 HTTPS call going towards services hosted in virtual host environments.

 [1] https://en.wikipedia.org/wiki/Server_Name_Indication
 [2] https://www.ietf.org/rfc/rfc3546.txt
 [3] https://hc.apache.org/news.html

 On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna 
 wrote:

> Hi all,
>
> I have encountered a weird "hostname in certificate didn't match:"
> issue when accessing IS dashboard. My setup details are as follows.
>
> *Setup Details*
> *IS cluster*
> - 3 nodes cluster
> - Hostname - mgt.is.wso2.com
> - Certificate CN - mgt.is.wso2.com
>
> *BPS cluster*
> - 2 nodes cluster (manager/worker)
> - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com
> - Certificate CN - *.bps.wso2.com
>
> * Both nodes are fronted by same Nginx plus load balancer.
>
> [1]
> javax.net.ssl.SSLException: hostname in certificate didn't match: <
> mgt.is.wso2.com> != <*.bps.wso2.com>
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238)
> at
> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
> 
> 
>
> When we check the browser cookie, it gave correct certificate. (
> mgt.is.wso2.com), but when we check it from java client[2] it gives
> the bps certificate (*.bps.wso2.com) instead of IS.
>
> [2]
> https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/
>
> What is the reason for this? Is it my config issue or Nginx issue or
> our product issue?
>
> --
> *Regards,*
>
> *Aparna Karunarathna.*
>
>
> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>*
>



 --
 Deependra Ariyadewa
 WSO2, Inc. http://wso2.com/ http://wso2.org

 email d...@wso2.com; cell +94 71 403 5996 ;
 Blog http://risenfall.wordpress.com/
 PGP info: KeyID: 'DC627E6F'

 *WSO2 - Lean . Enterprise . Middleware*

>>>
>>>
>>>
>>> --
>>> *Regards,*
>>>
>>> *Aparna Karunarathna.*
>>>
>>>
>>> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>*
>>>
>>
>>
>>
>> --
>> *Isuru Udana*
>> Associate Technical Lead
>> WSO2 Inc.; http://wso2.com
>> email: isu...@wso2.com cell: +94 77 3791887
>> blog: http://mytecheye.blogspot.com/
>>
>
>
>
> --
> *Regards,*
>
> *Aparna Karunarathna.*
>
>
> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>*
>



-- 
*Isuru Udana*
Associate Technical Lead
WSO2 Inc.; http://wso2.com
email: isu...@wso2.com cell: +94 77 3791887
blog: http://mytecheye.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard

2015-10-27 Thread Aparna Karunarathna
Hi Isuru,

I checked version from the ESB master branch pom[1].

4.1.2

[1] https://github.com/wso2/product-esb/blob/master/pom.xml

Regards,
Aparna.

On Tue, Oct 27, 2015 at 5:41 AM, Isuru Udana  wrote:

> Hi Aparna,
>
> We are using 4.3.1.
>
>
> Thanks.
>
> On Mon, Oct 26, 2015 at 10:36 AM, Aparna Karunarathna 
> wrote:
>
>> Hi Kasun/Isuru,
>>
>> Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to newer
>> version?
>>
>> @Deep, Thanks for the clarification.
>>
>> Regards,
>> Aparna
>>
>> On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa 
>> wrote:
>>
>>> Hi Aparna,
>>>
>>> This can happen when the client does not send the SNI[1][2] to the
>>> server side to select the proper HTTPS virtual host. In this case NGINX
>>> reverse proxy created in the vhost. Most of the modern browsers send SNI to
>>> server, therefore you will not observe this when you make the request via a
>>> modern browser.
>>>
>>> Most of the new Java HTTP client libraries also support SNI. As an
>>> example, Apache httpclient library support SNI from version 4.3.2 [3]. If
>>> you use a library which does not support SNI, you will get this error for
>>> HTTPS call going towards services hosted in virtual host environments.
>>>
>>> [1] https://en.wikipedia.org/wiki/Server_Name_Indication
>>> [2] https://www.ietf.org/rfc/rfc3546.txt
>>> [3] https://hc.apache.org/news.html
>>>
>>> On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna 
>>> wrote:
>>>
 Hi all,

 I have encountered a weird "hostname in certificate didn't match:"
 issue when accessing IS dashboard. My setup details are as follows.

 *Setup Details*
 *IS cluster*
 - 3 nodes cluster
 - Hostname - mgt.is.wso2.com
 - Certificate CN - mgt.is.wso2.com

 *BPS cluster*
 - 2 nodes cluster (manager/worker)
 - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com
 - Certificate CN - *.bps.wso2.com

 * Both nodes are fronted by same Nginx plus load balancer.

 [1]
 javax.net.ssl.SSLException: hostname in certificate didn't match: <
 mgt.is.wso2.com> != <*.bps.wso2.com>
 at
 org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238)
 at
 org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
 
 

 When we check the browser cookie, it gave correct certificate. (
 mgt.is.wso2.com), but when we check it from java client[2] it gives
 the bps certificate (*.bps.wso2.com) instead of IS.

 [2]
 https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/

 What is the reason for this? Is it my config issue or Nginx issue or
 our product issue?

 --
 *Regards,*

 *Aparna Karunarathna.*


 *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>*

>>>
>>>
>>>
>>> --
>>> Deependra Ariyadewa
>>> WSO2, Inc. http://wso2.com/ http://wso2.org
>>>
>>> email d...@wso2.com; cell +94 71 403 5996 ;
>>> Blog http://risenfall.wordpress.com/
>>> PGP info: KeyID: 'DC627E6F'
>>>
>>> *WSO2 - Lean . Enterprise . Middleware*
>>>
>>
>>
>>
>> --
>> *Regards,*
>>
>> *Aparna Karunarathna.*
>>
>>
>> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>*
>>
>
>
>
> --
> *Isuru Udana*
> Associate Technical Lead
> WSO2 Inc.; http://wso2.com
> email: isu...@wso2.com cell: +94 77 3791887
> blog: http://mytecheye.blogspot.com/
>



-- 
*Regards,*

*Aparna Karunarathna.*


*Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard

2015-10-26 Thread Isuru Udana
Hi Aparna,

We are using 4.3.1.


Thanks.

On Mon, Oct 26, 2015 at 10:36 AM, Aparna Karunarathna 
wrote:

> Hi Kasun/Isuru,
>
> Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to newer
> version?
>
> @Deep, Thanks for the clarification.
>
> Regards,
> Aparna
>
> On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa 
> wrote:
>
>> Hi Aparna,
>>
>> This can happen when the client does not send the SNI[1][2] to the server
>> side to select the proper HTTPS virtual host. In this case NGINX reverse
>> proxy created in the vhost. Most of the modern browsers send SNI to server,
>> therefore you will not observe this when you make the request via a modern
>> browser.
>>
>> Most of the new Java HTTP client libraries also support SNI. As an
>> example, Apache httpclient library support SNI from version 4.3.2 [3]. If
>> you use a library which does not support SNI, you will get this error for
>> HTTPS call going towards services hosted in virtual host environments.
>>
>> [1] https://en.wikipedia.org/wiki/Server_Name_Indication
>> [2] https://www.ietf.org/rfc/rfc3546.txt
>> [3] https://hc.apache.org/news.html
>>
>> On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna 
>> wrote:
>>
>>> Hi all,
>>>
>>> I have encountered a weird "hostname in certificate didn't match:" issue
>>> when accessing IS dashboard. My setup details are as follows.
>>>
>>> *Setup Details*
>>> *IS cluster*
>>> - 3 nodes cluster
>>> - Hostname - mgt.is.wso2.com
>>> - Certificate CN - mgt.is.wso2.com
>>>
>>> *BPS cluster*
>>> - 2 nodes cluster (manager/worker)
>>> - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com
>>> - Certificate CN - *.bps.wso2.com
>>>
>>> * Both nodes are fronted by same Nginx plus load balancer.
>>>
>>> [1]
>>> javax.net.ssl.SSLException: hostname in certificate didn't match: <
>>> mgt.is.wso2.com> != <*.bps.wso2.com>
>>> at
>>> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238)
>>> at
>>> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
>>> 
>>> 
>>>
>>> When we check the browser cookie, it gave correct certificate. (
>>> mgt.is.wso2.com), but when we check it from java client[2] it gives the
>>> bps certificate (*.bps.wso2.com) instead of IS.
>>>
>>> [2]
>>> https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/
>>>
>>> What is the reason for this? Is it my config issue or Nginx issue or our
>>> product issue?
>>>
>>> --
>>> *Regards,*
>>>
>>> *Aparna Karunarathna.*
>>>
>>>
>>> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>*
>>>
>>
>>
>>
>> --
>> Deependra Ariyadewa
>> WSO2, Inc. http://wso2.com/ http://wso2.org
>>
>> email d...@wso2.com; cell +94 71 403 5996 ;
>> Blog http://risenfall.wordpress.com/
>> PGP info: KeyID: 'DC627E6F'
>>
>> *WSO2 - Lean . Enterprise . Middleware*
>>
>
>
>
> --
> *Regards,*
>
> *Aparna Karunarathna.*
>
>
> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>*
>



-- 
*Isuru Udana*
Associate Technical Lead
WSO2 Inc.; http://wso2.com
email: isu...@wso2.com cell: +94 77 3791887
blog: http://mytecheye.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard

2015-10-25 Thread Aparna Karunarathna
Hi Kasun/Isuru,

Currently ESB uses Apache httpclient 4.1.2, shouldn't it upgrade to newer
version?

@Deep, Thanks for the clarification.

Regards,
Aparna

On Sat, Oct 24, 2015 at 11:38 AM, Deependra Ariyadewa  wrote:

> Hi Aparna,
>
> This can happen when the client does not send the SNI[1][2] to the server
> side to select the proper HTTPS virtual host. In this case NGINX reverse
> proxy created in the vhost. Most of the modern browsers send SNI to server,
> therefore you will not observe this when you make the request via a modern
> browser.
>
> Most of the new Java HTTP client libraries also support SNI. As an
> example, Apache httpclient library support SNI from version 4.3.2 [3]. If
> you use a library which does not support SNI, you will get this error for
> HTTPS call going towards services hosted in virtual host environments.
>
> [1] https://en.wikipedia.org/wiki/Server_Name_Indication
> [2] https://www.ietf.org/rfc/rfc3546.txt
> [3] https://hc.apache.org/news.html
>
> On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna 
> wrote:
>
>> Hi all,
>>
>> I have encountered a weird "hostname in certificate didn't match:" issue
>> when accessing IS dashboard. My setup details are as follows.
>>
>> *Setup Details*
>> *IS cluster*
>> - 3 nodes cluster
>> - Hostname - mgt.is.wso2.com
>> - Certificate CN - mgt.is.wso2.com
>>
>> *BPS cluster*
>> - 2 nodes cluster (manager/worker)
>> - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com
>> - Certificate CN - *.bps.wso2.com
>>
>> * Both nodes are fronted by same Nginx plus load balancer.
>>
>> [1]
>> javax.net.ssl.SSLException: hostname in certificate didn't match: <
>> mgt.is.wso2.com> != <*.bps.wso2.com>
>> at
>> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238)
>> at
>> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
>> 
>> 
>>
>> When we check the browser cookie, it gave correct certificate. (
>> mgt.is.wso2.com), but when we check it from java client[2] it gives the
>> bps certificate (*.bps.wso2.com) instead of IS.
>>
>> [2]
>> https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/
>>
>> What is the reason for this? Is it my config issue or Nginx issue or our
>> product issue?
>>
>> --
>> *Regards,*
>>
>> *Aparna Karunarathna.*
>>
>>
>> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>*
>>
>
>
>
> --
> Deependra Ariyadewa
> WSO2, Inc. http://wso2.com/ http://wso2.org
>
> email d...@wso2.com; cell +94 71 403 5996 ;
> Blog http://risenfall.wordpress.com/
> PGP info: KeyID: 'DC627E6F'
>
> *WSO2 - Lean . Enterprise . Middleware*
>



-- 
*Regards,*

*Aparna Karunarathna.*


*Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


Re: [Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard

2015-10-24 Thread Deependra Ariyadewa
Hi Aparna,

This can happen when the client does not send the SNI[1][2] to the server
side to select the proper HTTPS virtual host. In this case NGINX reverse
proxy created in the vhost. Most of the modern browsers send SNI to server,
therefore you will not observe this when you make the request via a modern
browser.

Most of the new Java HTTP client libraries also support SNI. As an example,
Apache httpclient library support SNI from version 4.3.2 [3]. If you use a
library which does not support SNI, you will get this error for HTTPS call
going towards services hosted in virtual host environments.

[1] https://en.wikipedia.org/wiki/Server_Name_Indication
[2] https://www.ietf.org/rfc/rfc3546.txt
[3] https://hc.apache.org/news.html

On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna 
wrote:

> Hi all,
>
> I have encountered a weird "hostname in certificate didn't match:" issue
> when accessing IS dashboard. My setup details are as follows.
>
> *Setup Details*
> *IS cluster*
> - 3 nodes cluster
> - Hostname - mgt.is.wso2.com
> - Certificate CN - mgt.is.wso2.com
>
> *BPS cluster*
> - 2 nodes cluster (manager/worker)
> - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com
> - Certificate CN - *.bps.wso2.com
>
> * Both nodes are fronted by same Nginx plus load balancer.
>
> [1]
> javax.net.ssl.SSLException: hostname in certificate didn't match: <
> mgt.is.wso2.com> != <*.bps.wso2.com>
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238)
> at
> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
> 
> 
>
> When we check the browser cookie, it gave correct certificate. (
> mgt.is.wso2.com), but when we check it from java client[2] it gives the
> bps certificate (*.bps.wso2.com) instead of IS.
>
> [2]
> https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/
>
> What is the reason for this? Is it my config issue or Nginx issue or our
> product issue?
>
> --
> *Regards,*
>
> *Aparna Karunarathna.*
>
>
> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>*
>



-- 
Deependra Ariyadewa
WSO2, Inc. http://wso2.com/ http://wso2.org

email d...@wso2.com; cell +94 71 403 5996 ;
Blog http://risenfall.wordpress.com/
PGP info: KeyID: 'DC627E6F'

*WSO2 - Lean . Enterprise . Middleware*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


[Dev] [IS] "hostname in certificate didn't match:" issue when accessing IS dashboard

2015-10-22 Thread Aparna Karunarathna
Hi all,

I have encountered a weird "hostname in certificate didn't match:" issue
when accessing IS dashboard. My setup details are as follows.

*Setup Details*
*IS cluster*
- 3 nodes cluster
- Hostname - mgt.is.wso2.com
- Certificate CN - mgt.is.wso2.com

*BPS cluster*
- 2 nodes cluster (manager/worker)
- Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com
- Certificate CN - *.bps.wso2.com

* Both nodes are fronted by same Nginx plus load balancer.

[1]
javax.net.ssl.SSLException: hostname in certificate didn't match: <
mgt.is.wso2.com> != <*.bps.wso2.com>
at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238)
at
org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)



When we check the browser cookie, it gave correct certificate. (
mgt.is.wso2.com), but when we check it from java client[2] it gives the bps
certificate (*.bps.wso2.com) instead of IS.

[2]
https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/

What is the reason for this? Is it my config issue or Nginx issue or our
product issue?

-- 
*Regards,*

*Aparna Karunarathna.*


*Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev