The CertificateHostnameVerifier does support subject alternative names. I'd recommend setting a breakpoint in the "check" methods here + see what is going on:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob_plain;f=rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertificateHostnameVerifier.java;hb=HEAD Colm. On Tue, Nov 4, 2014 at 3:56 PM, Cole Ferrier <c...@coleferrier.com> wrote: > Having a little bit of trouble with a a client web service due to a server > now having a certificate where its name is only in Subject Alternate Names. > > At first we where getting an error that was out of CXF and it said to set " > disableCNCheck" to true, however we don't want to disable alternate names. > > Then I tried a simple test: > > url = new URL(https_url); > HttpsURLConnection con = (HttpsURLConnection) url.openConnection(); > > and java 7 was able to connect to the url and download content from it. (it > didn't through off any errors). > > So then we set useHttpsURLConnectionDefaultSslSocketFactory and > useHttpsURLConnectionDefaultHostnameVerifier to true to try to use the Java > versions. > > javax.xml.ws.WebServiceException: Could not send Message. > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:145) > at com.sun.proxy.$Proxy50.callback(Unknown Source) > ..... (Code that called started the web service call) > Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException > invoking https://xxxxxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxxxxx: > java.security.cert.CertificateException: No subject alternative DNS name > matching xxxxxxxxxxxxxxxxxxxxxxx found. > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1334) > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318) > at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > at > org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:623) > at > > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > at > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:541) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) > ... 5 more > Caused by: javax.net.ssl.SSLHandshakeException: > java.security.cert.CertificateException: No subject alternative DNS name > matching xxxxxxxxxxxxxxxx found. > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) > at > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) > at > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) > at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515) > at > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > at > > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1090) > at > > sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) > at > > org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168) > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1278) > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1234) > at > > org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195) > at > > org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) > at > > org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1291) > ... 15 more > Caused by: java.security.cert.CertificateException: No subject alternative > DNS name matching xxxxxxxxxxxxxxxxx found. > at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:191) > at sun.security.util.HostnameChecker.match(HostnameChecker.java:93) > at > > sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:347) > at > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:203) > at > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) > at > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) > ... 33 more > > > Any Ideas why a basic URL connection works, but CXF while set to use the > Java defaults doesn't? > > > Thanks. > > Cole > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com