You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Ne...@wellsfargo.com on 2015/04/21 17:33:21 UTC
SSL Socket EndpointIdentificationAlgorithm
========
Problem: " server certificate change is restricted during renegotiation"
========
javax.xml.ws.soap.SOAPFaultException: Marshalling Error: server certificate change is restricted during renegotiation -- Unable to make connection to ECPR getCustomerInformation201205 WebService -- stack trace=
com.wellsfargo.launchpad.exceptions.SystemException
at com.wellsfargo.ebs.framework.fault.SystemFaultHelper.getFault(SystemFaultHelper.java:40)
at com.wellsfargo.ebs.rewards.account.dao.EcprDAOImpl.getCustomerInformation(EcprDAOImpl.java:102)
at com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsWorkingModel.updateRewardsAccountInfoWithDetailsFromECPR(GetRewardsDetailsWorkingModel.java:644)
at com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsService.executePOIRequest(GetRewardsDetailsService.java:227)
at com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsService.getRewardsDetails(GetRewardsDetailsService.java:121)
at com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsService.getRewardsDetails201311(GetRewardsDetailsService.java:92)
at com.wellsfargo.service.provider.ebs.rewards201311.EBSRewardsPortTypeImpl.getRewardsDetails(EBSRewardsPortTypeImpl.java:49)
at sun.reflect.GeneratedMethodAccessor133.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
at org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.invoke(AbstractJAXWSMethodInvoker.java:178)
at com.wellsfargo.ebs.framework.cxf.ServiceWorxJAXWSMethodInvoker.invoke(ServiceWorxJAXWSMethodInvoker.java:114)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:75)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
.......................
=========
The Cause:
=========
Java recently fixed a Triple Handshake Attack problem. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6457
by checking EndpointIdentificationAlgorithm (see sun.security.ssl. ClientHandshaker.java (Java 7u72 or after)
Here is the change.
.............
if (this.reservedServerCerts != null)
{
localObject = getEndpointIdentificationAlgorithmSE();
if (( (localObject == null) || (((String)localObject).length() == 0) ) && (!isIdentityEquivalent(arrayOfX509Certificate[0], this.reservedServerCerts[0])))
{
fatalSE(42, "server certificate change is restrictedduring renegotiation");
}
}
...............
As you see, if EndpointIdentificationAlgorithm of SSL socket does not set, it will throw "server certificate change is restrictedduring renegotiation" error at some condition (e.g. Server uses multiple SSL certificates).
Sun HttpsURLConnection set EndpointIdentificationAlgorithm = "HTTPS" if you do not use Custom Hostname Verifier.
See Case 2. http://www.docjar.net/html/api/sun/net/www/protocol/https/HttpsClient.java.html. Using HttpsURLConnection with default Hostname Verifier will not have this error because of EndpointIdentificationAlgorithm = "HTTPS". (note: This is also proved by testing)
Sun HttpsURLConnection used by Apache CXF Http Transport uses Custom Hostname Verifier. As a result, EndpointIdentificationAlgorithm = null. See Case 4. http://www.docjar.net/html/api/sun/net/www/protocol/https/HttpsClient.java.html, which caused " server certificate change is restricted during renegotiation" exception.
Note: "server certificate change is restricted during renegotiation" error only happens while SSL Clients are accessing URL which uses multiple SSL certificates due to load balance (e.g. F5). This is a complicated SSL topic and we do not need to discuss root cause and its solutions because there are many options.
========
Question:
========
As we know, setting EndpointIdentificationAlgorithm="HTTPS" is one of solutions. (perfect solution requires doing Endpoint Identification work at TLS layer).
Besides using custom SSL Factory to set SSL Socket EndpointIdentificationAlgorithm, is there an easy way (or tip) to Set SSL Socket EndpointIdentificationAlgorithm to be "HTTPS" in Apache CXF HTTP Transport
Thanks in advance
Ed
Re: SSL Socket EndpointIdentificationAlgorithm
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Ed,
I'm a little confused by one detail of your post. Apache CXF uses a custom
HostnameVerifier. According to one of the links you provided, this falls
under:
"case 4. non-default HNV and EIA is null No EIA, no EIA check done in
SSL/TLS layer, then do HTTPS check in HTTPS layer using HNV as override."
If no EIA check is done in the SSL/TLS layer for this scenario, then how
are you running into the "server certificate change is restrictedduring
renegotiation" error?
Colm.
On Tue, Apr 21, 2015 at 4:33 PM, <Ne...@wellsfargo.com> wrote:
> ========
> Problem: " server certificate change is restricted during renegotiation"
> ========
> javax.xml.ws.soap.SOAPFaultException: Marshalling Error: server
> certificate change is restricted during renegotiation -- Unable to make
> connection to ECPR getCustomerInformation201205 WebService -- stack trace=
> com.wellsfargo.launchpad.exceptions.SystemException
> at
> com.wellsfargo.ebs.framework.fault.SystemFaultHelper.getFault(SystemFaultHelper.java:40)
> at
> com.wellsfargo.ebs.rewards.account.dao.EcprDAOImpl.getCustomerInformation(EcprDAOImpl.java:102)
> at
> com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsWorkingModel.updateRewardsAccountInfoWithDetailsFromECPR(GetRewardsDetailsWorkingModel.java:644)
> at
> com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsService.executePOIRequest(GetRewardsDetailsService.java:227)
> at
> com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsService.getRewardsDetails(GetRewardsDetailsService.java:121)
> at
> com.wellsfargo.ebs.rewards.inquiry.GetRewardsDetailsService.getRewardsDetails201311(GetRewardsDetailsService.java:92)
> at
> com.wellsfargo.service.provider.ebs.rewards201311.EBSRewardsPortTypeImpl.getRewardsDetails(EBSRewardsPortTypeImpl.java:49)
> at sun.reflect.GeneratedMethodAccessor133.invoke(Unknown
> Source)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:483)
> at
> org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
> at
> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
> at
> org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.invoke(AbstractJAXWSMethodInvoker.java:178)
> at
> com.wellsfargo.ebs.framework.cxf.ServiceWorxJAXWSMethodInvoker.invoke(ServiceWorxJAXWSMethodInvoker.java:114)
> at
> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:75)
> at
> org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57)
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at
> org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
> at
> org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
> at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
> .......................
>
> =========
> The Cause:
> =========
> Java recently fixed a Triple Handshake Attack problem.
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6457
> by checking EndpointIdentificationAlgorithm (see sun.security.ssl.
> ClientHandshaker.java (Java 7u72 or after)
> Here is the change.
> .............
> if (this.reservedServerCerts != null)
> {
> localObject = getEndpointIdentificationAlgorithmSE();
> if (( (localObject == null) || (((String)localObject).length() ==
> 0) ) && (!isIdentityEquivalent(arrayOfX509Certificate[0],
> this.reservedServerCerts[0])))
> {
> fatalSE(42, "server certificate change is restrictedduring
> renegotiation");
> }
> }
> ...............
>
> As you see, if EndpointIdentificationAlgorithm of SSL socket does not set,
> it will throw "server certificate change is restrictedduring renegotiation"
> error at some condition (e.g. Server uses multiple SSL certificates).
>
> Sun HttpsURLConnection set EndpointIdentificationAlgorithm = "HTTPS" if
> you do not use Custom Hostname Verifier.
> See Case 2.
> http://www.docjar.net/html/api/sun/net/www/protocol/https/HttpsClient.java.html.
> Using HttpsURLConnection with default Hostname Verifier will not have this
> error because of EndpointIdentificationAlgorithm = "HTTPS". (note: This is
> also proved by testing)
>
> Sun HttpsURLConnection used by Apache CXF Http Transport uses Custom
> Hostname Verifier. As a result, EndpointIdentificationAlgorithm = null. See
> Case 4.
> http://www.docjar.net/html/api/sun/net/www/protocol/https/HttpsClient.java.html,
> which caused " server certificate change is restricted during
> renegotiation" exception.
>
> Note: "server certificate change is restricted during renegotiation" error
> only happens while SSL Clients are accessing URL which uses multiple SSL
> certificates due to load balance (e.g. F5). This is a complicated SSL
> topic and we do not need to discuss root cause and its solutions because
> there are many options.
>
> ========
> Question:
> ========
> As we know, setting EndpointIdentificationAlgorithm="HTTPS" is one of
> solutions. (perfect solution requires doing Endpoint Identification work at
> TLS layer).
>
> Besides using custom SSL Factory to set SSL Socket
> EndpointIdentificationAlgorithm, is there an easy way (or tip) to Set SSL
> Socket EndpointIdentificationAlgorithm to be "HTTPS" in Apache CXF HTTP
> Transport
>
> Thanks in advance
>
> Ed
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com