You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Thomas Wilkin <wi...@lilly.com> on 2017/06/06 13:48:38 UTC

RE: [EXTERNAL] Re: Failing hostname verification for SSL connections with subdomain in URL

Hi Colm,

Unfortunately I am tied into that version. The application I am working on is vendor provided, with extension points that allow me to enhance the functionality. I am extending their existing web service client implementation which is using that version of the CXF library. From when I spoke to them last it is unlikely they will be willing to upgrade this any time soon due to the possibility of undesirable knock-on effects.

Regards,
Tom

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: Tuesday, June 06, 2017 10:23 AM
To: users@cxf.apache.org
Subject: [EXTERNAL] Re: Failing hostname verification for SSL connections with subdomain in URL

Could you try with a more recent version of CXF than 3.0.7? I have a feel that issue was subsequently fixed.

Colm.

On Fri, Jun 2, 2017 at 12:06 PM, Thomas Wilkin <wi...@lilly.com>
wrote:

> Hi,
>
> I am using the CXF library (version 3.0.7) to communicate with SSL 
> protected web service end points inside my organisation. However when 
> I try and connect to them I am getting an error message due to 
> hostname verification. I have looked into the code and I have 
> identified the failure is being caused by the check on the result of 
> the "countDots" method as
> follows:
> if (strict && countDots(identity) != countDots(domainRoot)) {
>     return false;
> }
>
> In my case the identify variable follows this pattern:
>     hostname.windows_domain.my_company.com
> The domainRoot variable follows this pattern:
>     .my_company.com
> The failure is happening because the former contains 3 dots and the 
> latter contains just 2.
>
> Is there any way I can prevent it from performing the strict check, 
> and not take this code path?
> My stack trace is as follows:
>     DefaultHostnameVerifier.matchIdentity(String, String, 
> PublicSuffixMatcher, Boolean) line:182
>     DefaultHostnameVerifier.matchIdentityStrict(String, String,
> PublicSuffixMatcher) line: 241
>     DefaultHostnameVerifier.matchDNSName(String, List<String>,
> PublicSuffixMatcher) line: 148
>     DefaultHostnameVerifier.verify(String, X509Certificate) line: 103
>     DefaultHostnameVerifier.verify(String, SSLSession) line: 81
>     
> AsyncHTTPConduit$AsyncWrappedOutputStream$5.verifySession(HttpHost,
> IOSession, SSLSession) line: 536
>     SSLIOSessionStrategy$1.verify(IOSession, SSLSession) line: 140 As 
> you can see the Boolean for the strict checked is not something I seem 
> to have any control over as the "matchIdentityStrict" method is called 
> by "matchDNSName" directly.
>
> Regards,
> Tom
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com