You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by sh...@daimler.com on 2019/02/08 05:12:47 UTC
[Axis2] - Is Axis2 version 1.4 affected by RFC 2818?
Hello Team,
We are using Axis2 1.4 to consume SOAP services from WSDL. Currently, facing issues with the SSL verification. Error is :
org.apache.axis2.AxisFault
org.apache.axis2.AxisFault: HTTPS hostname invalid: expected '******', received '******1234*****'
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
at org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.sendViaPost(HTTPSenderImpl.java:216)
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:121)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:403)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:234)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:431)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:399)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid: expected '******', received '******1234*****'
at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname(Unknown Source)
at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket(Unknown Source)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.executeMethod(HTTPSenderImpl.java:872)
at org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.sendViaPost(HTTPSenderImpl.java:212)
... 58 more
We found a similar RFC 2818(https://tools.ietf.org/html/rfc2818 ) and also existing issue https://lwn.net/Articles/611992/ where the server hostname is being verified via the Subject name (CN field) and not via the SAN entries.
Is Axis2 1.4 also affected by this ? Which version of axis2 is this issue fixed?
Let us know.
Thanks,
Shatabdi
If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
Re: RE: [Axis2] - Is Axis2 version 1.4 affected by RFC 2818?
Posted by robertlazarski <ro...@gmail.com>.
On Mon, Feb 11, 2019 at 4:03 AM Herring, Bruce (T55B) <
Bruce.Herring@hii-nns.com> wrote:
> Please take bruce.herring@hii-nns.com off your e-mail replies.
>
>
You are subscribed to the Axis2 dev list. You may want to unsubscribe.
Regards,
Robert
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
>
>
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
>
>
RE: RE: [Axis2] - Is Axis2 version 1.4 affected by RFC 2818?
Posted by "Herring, Bruce (T55B)" <Br...@hii-nns.com>.
Please take bruce.herring@hii-nns.com<ma...@hii-nns.com> off your e-mail replies.
From: shatabdi.bose@daimler.com [mailto:shatabdi.bose@daimler.com]
Sent: Monday, February 11, 2019 6:13 AM
To: java-dev@axis.apache.org; robertlazarski@gmail.com
Subject: EXT: RE: [Axis2] - Is Axis2 version 1.4 affected by RFC 2818?
Hi Robert,
Thanks for the reply.
I tried with the latest Axis2 1.7.9, configured with httpclient-4.5.3.jar. But, still I am facing the same issue. Could you please let me know the exact Axis2 version where this issue is fixed?
This is not a self-signed certificate.
Thanks,
Shatabdi
From: robertlazarski [mailto:robertlazarski@gmail.com]
Sent: Monday, February 11, 2019 5:37 AM
To: java-dev@axis.apache.org<ma...@axis.apache.org>
Subject: Re: [Axis2] - Is Axis2 version 1.4 affected by RFC 2818?
Axis2 1.4 is very old and is unsupported.
The latest Axis2 allows you to configure httpclient4 instead of httpclient3. That might help.
Is your SSL cert self signed? It may be misconfigured.
Regards,
Robert
On Thu, Feb 7, 2019 at 7:12 PM <sh...@daimler.com>> wrote:
Hello Team,
We are using Axis2 1.4 to consume SOAP services from WSDL. Currently, facing issues with the SSL verification. Error is :
org.apache.axis2.AxisFault
org.apache.axis2.AxisFault: HTTPS hostname invalid: expected '******’, received ‘******1234*****'
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
at org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.sendViaPost(HTTPSenderImpl.java:216)
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:121)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:403)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:234)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:431)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:399)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid: expected '******’, received ‘******1234*****'
at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname(Unknown Source)
at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket(Unknown Source)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.executeMethod(HTTPSenderImpl.java:872)
at org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.sendViaPost(HTTPSenderImpl.java:212)
... 58 more
We found a similar RFC 2818(https://tools.ietf.org/html/rfc2818 ) and also existing issue https://lwn.net/Articles/611992/ where the server hostname is being verified via the Subject name (CN field) and not via the SAN entries.
Is Axis2 1.4 also affected by this ? Which version of axis2 is this issue fixed?
Let us know.
Thanks,
Shatabdi
If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
RE: [Axis2] - Is Axis2 version 1.4 affected by RFC 2818?
Posted by sh...@daimler.com.
Hi Robert,
Thanks for the reply.
I tried with the latest Axis2 1.7.9, configured with httpclient-4.5.3.jar. But, still I am facing the same issue. Could you please let me know the exact Axis2 version where this issue is fixed?
This is not a self-signed certificate.
Thanks,
Shatabdi
From: robertlazarski [mailto:robertlazarski@gmail.com]
Sent: Monday, February 11, 2019 5:37 AM
To: java-dev@axis.apache.org
Subject: Re: [Axis2] - Is Axis2 version 1.4 affected by RFC 2818?
Axis2 1.4 is very old and is unsupported.
The latest Axis2 allows you to configure httpclient4 instead of httpclient3. That might help.
Is your SSL cert self signed? It may be misconfigured.
Regards,
Robert
On Thu, Feb 7, 2019 at 7:12 PM <sh...@daimler.com>> wrote:
Hello Team,
We are using Axis2 1.4 to consume SOAP services from WSDL. Currently, facing issues with the SSL verification. Error is :
org.apache.axis2.AxisFault
org.apache.axis2.AxisFault: HTTPS hostname invalid: expected '******’, received ‘******1234*****'
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
at org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.sendViaPost(HTTPSenderImpl.java:216)
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:121)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:403)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:234)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:431)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:399)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid: expected '******’, received ‘******1234*****'
at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname(Unknown Source)
at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket(Unknown Source)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.executeMethod(HTTPSenderImpl.java:872)
at org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.sendViaPost(HTTPSenderImpl.java:212)
... 58 more
We found a similar RFC 2818(https://tools.ietf.org/html/rfc2818 ) and also existing issue https://lwn.net/Articles/611992/ where the server hostname is being verified via the Subject name (CN field) and not via the SAN entries.
Is Axis2 1.4 also affected by this ? Which version of axis2 is this issue fixed?
Let us know.
Thanks,
Shatabdi
If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
Re: [Axis2] - Is Axis2 version 1.4 affected by RFC 2818?
Posted by robertlazarski <ro...@gmail.com>.
Axis2 1.4 is very old and is unsupported.
The latest Axis2 allows you to configure httpclient4 instead of
httpclient3. That might help.
Is your SSL cert self signed? It may be misconfigured.
Regards,
Robert
On Thu, Feb 7, 2019 at 7:12 PM <sh...@daimler.com> wrote:
> Hello Team,
>
>
>
> We are using Axis2 1.4 to consume SOAP services from WSDL. Currently,
> facing issues with the SSL verification. Error is :
>
>
>
> org.apache.axis2.AxisFault
>
> org.apache.axis2.AxisFault: HTTPS hostname invalid: expected '******’,
> received ‘******1234*****'
>
> at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
>
> at
> org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.sendViaPost(HTTPSenderImpl.java:216)
>
> at
> org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:121)
>
> at
> org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:403)
>
> at
> org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:234)
>
> at
> org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:431)
>
> at
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:399)
>
> at
> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
>
> Caused by: javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname
> invalid: expected '******’, received ‘******1234*****'
>
> at
> org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname(Unknown
> Source)
>
> at
> org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket(Unknown
> Source)
>
> at
> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
>
> at
> org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
>
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
>
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
>
> at
> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
>
> at
> org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.executeMethod(HTTPSenderImpl.java:872)
>
> at
> org.apache.axis2.transport.http.impl.httpclient3.HTTPSenderImpl.sendViaPost(HTTPSenderImpl.java:212)
>
> ... 58 more
>
>
>
> We found a similar RFC 2818(https://tools.ietf.org/html/rfc2818 ) and
> also existing issue https://lwn.net/Articles/611992/ where the server
> hostname is being verified via the Subject name (CN field) and not via the
> SAN entries.
>
>
>
> Is Axis2 1.4 also affected by this ? Which version of axis2 is this issue
> fixed?
>
> Let us know.
>
>
>
> Thanks,
>
> Shatabdi
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
>