You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by smq <sm...@hotmail.com> on 2015/04/10 23:51:31 UTC
CXF 3.0.4 client - how to disable CN checking
I don't know how to programmatically disable CN checking with CXF 3.0.4
JAX-RS 2.0 client. My code is as follows:
System.setProperty("jsse.enableSNIExtension", "false");
HttpsURLConnection.setDefaultHostnameVerifier(
new HostnameVerifier(){
public boolean verify(String hostname,
SSLSession sslSession) {
return true;
}
});
Client client = ClientBuilderImpl.newClient();
String urlHost = "https://" + centralNode;
WebTarget target = client.target(urlHost).path(BASE_SERVICE_URL);
String encodedpw = Base64.encodeBase64String(passwd.getBytes());
String body = "{\"uid\" : \"" + uid + "\",\"password\": \"" + encodedpw +
"\"}";
logger.info("json body=" +body);
Response res =
target.request(MediaType.APPLICATION_JSON).post(Entity.entity(body,
MediaType.APPLICATION_JSON));
As you can see, I already tried to override the default hostnameverifier,
and set jsse.enableSNIExtension to false. None of these worked, i am still
getting the exception:
"The https URL hostname does not match the Common Name (CN) on the server
certificate in the client's truststore. Make sure server certificate is
correct, or to disable this check (NOT recommended for production) set the
CXF client TLS configuration property "disableCNCheck" to true."
Please help!
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF 3.0.4 client - how to disable CN checking
Posted by Sergey Beryozkin <sb...@gmail.com>.
plain HTTPS server...
On 20/04/15 15:18, Sergey Beryozkin wrote:
> So - please do ClientBuilder.build(), set a verifier only,
> and test (we thought you probably have a 'plain' HTTP server running
> locally). If it still does not work - please provide a maven based project
>
> Sergey
>
> On 20/04/15 15:10, Sergey Beryozkin wrote:
>> On 20/04/15 14:34, smq wrote:
>>> The differences I can see:
>>> - you are calling ClientBuilder.build() - in my CXF3.0.4,
>>> ClientBuilder does
>>> not have build() method, so I am using newClient()
>>
>> I'm not calling a static .build() method, I'm calling it on a
>> ClientBuilder instance
>>
>>> - you are setting keyStore
>>
>> As I said - that is not needed if no two-way TLS is required
>>
>>> - you are setting trustManager
>>>
>> Yes. My understanding this is needed if a server provides a certificate
>> and a hostname verifier is used if you need to customize the certificate
>> validation process (re checking the host names).
>>
>> I don't understand how you can use a hostname verifier if you have no
>> trustManager ? Is it a valid combination ?
>>
>> Sergey
>>
>>
>>
>>>
>>>
>>> --
>>> View this message in context:
>>> http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756289.html
>>>
>>>
>>> Sent from the cxf-user mailing list archive at Nabble.com.
>>>
>>
>>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: CXF 3.0.4 client - how to disable CN checking
Posted by Sergey Beryozkin <sb...@gmail.com>.
So - please do ClientBuilder.build(), set a verifier only,
and test (we thought you probably have a 'plain' HTTP server running
locally). If it still does not work - please provide a maven based project
Sergey
On 20/04/15 15:10, Sergey Beryozkin wrote:
> On 20/04/15 14:34, smq wrote:
>> The differences I can see:
>> - you are calling ClientBuilder.build() - in my CXF3.0.4,
>> ClientBuilder does
>> not have build() method, so I am using newClient()
>
> I'm not calling a static .build() method, I'm calling it on a
> ClientBuilder instance
>
>> - you are setting keyStore
>
> As I said - that is not needed if no two-way TLS is required
>
>> - you are setting trustManager
>>
> Yes. My understanding this is needed if a server provides a certificate
> and a hostname verifier is used if you need to customize the certificate
> validation process (re checking the host names).
>
> I don't understand how you can use a hostname verifier if you have no
> trustManager ? Is it a valid combination ?
>
> Sergey
>
>
>
>>
>>
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756289.html
>>
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>
>
Re: CXF 3.0.4 client - how to disable CN checking
Posted by Sergey Beryozkin <sb...@gmail.com>.
On 20/04/15 14:34, smq wrote:
> The differences I can see:
> - you are calling ClientBuilder.build() - in my CXF3.0.4, ClientBuilder does
> not have build() method, so I am using newClient()
I'm not calling a static .build() method, I'm calling it on a
ClientBuilder instance
> - you are setting keyStore
As I said - that is not needed if no two-way TLS is required
> - you are setting trustManager
>
Yes. My understanding this is needed if a server provides a certificate
and a hostname verifier is used if you need to customize the certificate
validation process (re checking the host names).
I don't understand how you can use a hostname verifier if you have no
trustManager ? Is it a valid combination ?
Sergey
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756289.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Re: CXF 3.0.4 client - how to disable CN checking
Posted by smq <sm...@hotmail.com>.
The differences I can see:
- you are calling ClientBuilder.build() - in my CXF3.0.4, ClientBuilder does
not have build() method, so I am using newClient()
- you are setting keyStore
- you are setting trustManager
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756289.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF 3.0.4 client - how to disable CN checking
Posted by Sergey Beryozkin <sb...@gmail.com>.
I have this test:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRS20HttpsBookTest.java;h=818749cf01186d905932e763849471baec407421;hb=HEAD
If I remove the line where the hostname verifier is registered I get an
error coming out Java HttpsClient that 'localhost' is problematic...
KeyStore 'keyStore' is not needed if the server requires no TLS client
authentication.
What is different in your case ?
Sergey
On 15/04/15 22:06, smq wrote:
> Tried to set HostnameVerifier on ClientBuilder - does not work :-( Here is
> the code snippet:
>
> ClientBuilder clientBuilder = ClientBuilder.newBuilder();
> clientBuilder.hostnameVerifier(new HostnameVerifier(){
> public boolean verify(String hostname, SSLSession sslSession) {
> return true;
> }
> });
> Client client = clientBuilder.newClient();
> //Client client = ClientBuilderImpl.newClient();
> String urlHost = "https://" + centralNode;
> WebTarget target = client.target(urlHost).path(BASE_SERVICE_URL);
> String encodedpw = Base64.encodeBase64String(passwd.getBytes());
> String body = "{\"uid\" : \"" + uid + "\",\"password\": \"" + encodedpw +
> "\"}";
> Invocation.Builder builder = target.request(MediaType.APPLICATION_JSON);
> Response res = builder.post(Entity.entity(body,
> MediaType.APPLICATION_JSON));
>
> Still getting Common Name mismatch exception.
>
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756092.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Re: CXF 3.0.4 client - how to disable CN checking
Posted by smq <sm...@hotmail.com>.
Tried to set HostnameVerifier on ClientBuilder - does not work :-( Here is
the code snippet:
ClientBuilder clientBuilder = ClientBuilder.newBuilder();
clientBuilder.hostnameVerifier(new HostnameVerifier(){
public boolean verify(String hostname, SSLSession sslSession) {
return true;
}
});
Client client = clientBuilder.newClient();
//Client client = ClientBuilderImpl.newClient();
String urlHost = "https://" + centralNode;
WebTarget target = client.target(urlHost).path(BASE_SERVICE_URL);
String encodedpw = Base64.encodeBase64String(passwd.getBytes());
String body = "{\"uid\" : \"" + uid + "\",\"password\": \"" + encodedpw +
"\"}";
Invocation.Builder builder = target.request(MediaType.APPLICATION_JSON);
Response res = builder.post(Entity.entity(body,
MediaType.APPLICATION_JSON));
Still getting Common Name mismatch exception.
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756092.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF 3.0.4 client - how to disable CN checking
Posted by Sergey Beryozkin <sb...@gmail.com>.
You also use ClientBuilderImpl.newClient();
Impl is not needed, but besides that you need to do:
ClientBuilder builder = ClientBuilder.newBuilder();
and then set builder properties and create a client
Cheers, Sergey
On 13/04/15 21:57, Sergey Beryozkin wrote:
> You do not use it correctly though,
>
> HttpUrlConnection.setDefaultHostnameVerifier is not part of JAX-RS 2.0 API.
>
> Can you set a verifier on ClientBuilder ? That should do it...
>
> Cheers, Sergey
>
>
>
>
> On 13/04/15 17:44, smq wrote:
>> The links to the example code all point to pre-CXF3.0 client. I am
>> using CXF
>> 3.0.4 which implements jax-rs 2.0. The Client I use is
>> javax.ws.rs.client.Client. So the methods in the example do not apply.
>>
>>
>>
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756007.html
>>
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>
Re: CXF 3.0.4 client - how to disable CN checking
Posted by Sergey Beryozkin <sb...@gmail.com>.
You do not use it correctly though,
HttpUrlConnection.setDefaultHostnameVerifier is not part of JAX-RS 2.0 API.
Can you set a verifier on ClientBuilder ? That should do it...
Cheers, Sergey
On 13/04/15 17:44, smq wrote:
> The links to the example code all point to pre-CXF3.0 client. I am using CXF
> 3.0.4 which implements jax-rs 2.0. The Client I use is
> javax.ws.rs.client.Client. So the methods in the example do not apply.
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756007.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Re: CXF 3.0.4 client - how to disable CN checking
Posted by smq <sm...@hotmail.com>.
The links to the example code all point to pre-CXF3.0 client. I am using CXF
3.0.4 which implements jax-rs 2.0. The Client I use is
javax.ws.rs.client.Client. So the methods in the example do not apply.
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756007.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF 3.0.4 client - how to disable CN checking
Posted by Colm O hEigeartaigh <co...@apache.org>.
Correction: "setDisableCNCheck(true)"
Colm.
On Mon, Apr 13, 2015 at 5:02 PM, Colm O hEigeartaigh <co...@apache.org>
wrote:
> The default HostnameVerifier is only used if the
> "useHttpsURLConnectionDefaultHostnameVerifier" attribute of the CXF TLS
> ClientParameters Object is set to "true". See here:
>
> http://cxf.apache.org/docs/tls-configuration.html
>
> Alternatively you can just call "setDisableCNCheck(false)" on the
> TLSClientParameters Object. See the following tests for some examples:
>
>
> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/transports/src/test/java/org/apache/cxf/systest/https/trust/TrustManagerTest.java;h=6264f447d87b7aad790ecec007ba69de43cab7c5;hb=HEAD
>
> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSConduitTest.java;h=2f6844971dfc78854dc76870b267391e2be087ac;hb=HEAD
>
> Colm.
>
> On Fri, Apr 10, 2015 at 10:51 PM, smq <sm...@hotmail.com> wrote:
>
>> I don't know how to programmatically disable CN checking with CXF 3.0.4
>> JAX-RS 2.0 client. My code is as follows:
>>
>> System.setProperty("jsse.enableSNIExtension", "false");
>> HttpsURLConnection.setDefaultHostnameVerifier(
>> new HostnameVerifier(){
>>
>> public boolean verify(String hostname,
>> SSLSession sslSession) {
>>
>> return true;
>>
>> }
>> });
>> Client client = ClientBuilderImpl.newClient();
>> String urlHost = "https://" + centralNode;
>> WebTarget target =
>> client.target(urlHost).path(BASE_SERVICE_URL);
>> String encodedpw =
>> Base64.encodeBase64String(passwd.getBytes());
>> String body = "{\"uid\" : \"" + uid + "\",\"password\":
>> \"" + encodedpw +
>> "\"}";
>> logger.info("json body=" +body);
>> Response res =
>> target.request(MediaType.APPLICATION_JSON).post(Entity.entity(body,
>> MediaType.APPLICATION_JSON));
>>
>> As you can see, I already tried to override the default hostnameverifier,
>> and set jsse.enableSNIExtension to false. None of these worked, i am
>> still
>> getting the exception:
>>
>> "The https URL hostname does not match the Common Name (CN) on the server
>> certificate in the client's truststore. Make sure server certificate is
>> correct, or to disable this check (NOT recommended for production) set the
>> CXF client TLS configuration property "disableCNCheck" to true."
>>
>> Please help!
>>
>>
>>
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF 3.0.4 client - how to disable CN checking
Posted by Colm O hEigeartaigh <co...@apache.org>.
The default HostnameVerifier is only used if the
"useHttpsURLConnectionDefaultHostnameVerifier" attribute of the CXF TLS
ClientParameters Object is set to "true". See here:
http://cxf.apache.org/docs/tls-configuration.html
Alternatively you can just call "setDisableCNCheck(false)" on the
TLSClientParameters Object. See the following tests for some examples:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/transports/src/test/java/org/apache/cxf/systest/https/trust/TrustManagerTest.java;h=6264f447d87b7aad790ecec007ba69de43cab7c5;hb=HEAD
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSConduitTest.java;h=2f6844971dfc78854dc76870b267391e2be087ac;hb=HEAD
Colm.
On Fri, Apr 10, 2015 at 10:51 PM, smq <sm...@hotmail.com> wrote:
> I don't know how to programmatically disable CN checking with CXF 3.0.4
> JAX-RS 2.0 client. My code is as follows:
>
> System.setProperty("jsse.enableSNIExtension", "false");
> HttpsURLConnection.setDefaultHostnameVerifier(
> new HostnameVerifier(){
>
> public boolean verify(String hostname,
> SSLSession sslSession) {
>
> return true;
>
> }
> });
> Client client = ClientBuilderImpl.newClient();
> String urlHost = "https://" + centralNode;
> WebTarget target =
> client.target(urlHost).path(BASE_SERVICE_URL);
> String encodedpw =
> Base64.encodeBase64String(passwd.getBytes());
> String body = "{\"uid\" : \"" + uid + "\",\"password\":
> \"" + encodedpw +
> "\"}";
> logger.info("json body=" +body);
> Response res =
> target.request(MediaType.APPLICATION_JSON).post(Entity.entity(body,
> MediaType.APPLICATION_JSON));
>
> As you can see, I already tried to override the default hostnameverifier,
> and set jsse.enableSNIExtension to false. None of these worked, i am still
> getting the exception:
>
> "The https URL hostname does not match the Common Name (CN) on the server
> certificate in the client's truststore. Make sure server certificate is
> correct, or to disable this check (NOT recommended for production) set the
> CXF client TLS configuration property "disableCNCheck" to true."
>
> Please help!
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com