Thanks. Figured it out today. Turned out to be "self inflicted". It looks like at some point our deployment package for our application had the following java option set "
*-Djsse.enableSNIExtension=false".*Effectively, this option was turning off the ability to look at alternate names. Now I have to do the research on why we had it set like that. Thanks for the assistance. Cole On Wed, Nov 5, 2014 at 3:50 AM, Colm O hEigeartaigh <cohei...@apache.org> wrote: > The CertificateHostnameVerifier does support subject alternative names. I'd > recommend setting a breakpoint in the "check" methods here + see what is > going on: > > > https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob_plain;f=rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertificateHostnameVerifier.java;hb=HEAD > > Colm. > > On Tue, Nov 4, 2014 at 3:56 PM, Cole Ferrier <c...@coleferrier.com> wrote: > > > Having a little bit of trouble with a a client web service due to a > server > > now having a certificate where its name is only in Subject Alternate > Names. > > > > At first we where getting an error that was out of CXF and it said to > set " > > disableCNCheck" to true, however we don't want to disable alternate > names. > > > > Then I tried a simple test: > > > > url = new URL(https_url); > > HttpsURLConnection con = (HttpsURLConnection) url.openConnection(); > > > > and java 7 was able to connect to the url and download content from it. > (it > > didn't through off any errors). > > > > So then we set useHttpsURLConnectionDefaultSslSocketFactory and > > useHttpsURLConnectionDefaultHostnameVerifier to true to try to use the > Java > > versions. > > > > javax.xml.ws.WebServiceException: Could not send Message. > > at > > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:145) > > at com.sun.proxy.$Proxy50.callback(Unknown Source) > > ..... (Code that called started the web service call) > > Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException > > invoking https://xxxxxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxxxxx: > > java.security.cert.CertificateException: No subject alternative DNS name > > matching xxxxxxxxxxxxxxxxxxxxxxx found. > > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > > Method) > > at > > > > > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > > at > > > > > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > > at > > > > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1334) > > at > > > > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318) > > at > > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > > at > > org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:623) > > at > > > > > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > > at > > > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) > > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:541) > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474) > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377) > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330) > > at > org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) > > at > > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) > > ... 5 more > > Caused by: javax.net.ssl.SSLHandshakeException: > > java.security.cert.CertificateException: No subject alternative DNS name > > matching xxxxxxxxxxxxxxxx found. > > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886) > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) > > at > > > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) > > at > > > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) > > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) > > at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) > > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) > > at > > > > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) > > at > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) > > at > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) > > at > > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515) > > at > > > > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > > at > > > > > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1090) > > at > > > > > sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) > > at > > > > > org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168) > > at > > > > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1278) > > at > > > > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1234) > > at > > > > > org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195) > > at > > > > > org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) > > at > > > > > org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) > > at > > > > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1291) > > ... 15 more > > Caused by: java.security.cert.CertificateException: No subject > alternative > > DNS name matching xxxxxxxxxxxxxxxxx found. > > at > sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:191) > > at sun.security.util.HostnameChecker.match(HostnameChecker.java:93) > > at > > > > > sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:347) > > at > > > > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:203) > > at > > > > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) > > at > > > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) > > ... 33 more > > > > > > Any Ideas why a basic URL connection works, but CXF while set to use the > > Java defaults doesn't? > > > > > > Thanks. > > > > Cole > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
