It should automatically check/use the SAN (Subject Alternate Name). I'm not aware of any special config for that.
If you can, provide us with the following information: 1. endpoint address 2. output of "openssl s_client -connect cxf.apache.org:443 | openssl x509 -text -noout | grep -e Subject -e DNS" where you replace cxf.apache.org with the hostname of the endpoint address. But first of all, you should probably try removing the <sec:keyManagers/> and <sec:trustManagers/> if they are in fact empty. It may just be that you are telling it to not use a trust store altogether. Without that it will fall back to using the JRE global cacerts truststore to validate/verify the server certificate chain. On Wed, 22 Sept 2021 at 01:50, Tóth Csaba <[email protected]> wrote: > Hello! > > For a webservice client, (over https) the server sent certificate has > wrong "name", but it has an good "alternative name". > > I got javax.net.ssl.SSLHandshakeException: SSLHandshakeException. > > I have very basic conduit settings: > > <http:conduit name="url*"> > <http:tlsClientParameters> > <sec:keyManagers keyPassword=""> > <sec:keyStore password="" resource="" type="JKS"/> > </sec:keyManagers> > <sec:trustManagers> > <sec:keyStore password="" resource="" type="JKS"/> > </sec:trustManagers> > <sec:cipherSuitesFilter> > <!-- these filters ensure that a ciphersuite with > export-suitable or null encryption is used, but exclude anonymous > Diffie-Hellman key change as this is vulnerable to man-in-the-middle > attacks --> > <sec:include>.*_EXPORT_.*</sec:include> > <sec:include>.*_EXPORT1024_.*</sec:include> > <sec:include>.*_WITH_DES_.*</sec:include> > <sec:include>.*_WITH_AES_.*</sec:include> > <sec:include>.*_WITH_NULL_.*</sec:include> > <sec:exclude>.*_DH_anon_.*</sec:exclude> > </sec:cipherSuitesFilter> > </http:tlsClientParameters> > </http:conduit> > > (with other https endponts its working) > > How can is setup to check the "alternative name" too, and not only the > "name"? > > > Thanx > > Csaba > > >
