[jira] [Resolved] (CXF-7334) HTTPS CN check errors when disableCNCheck is set to true

Mon, 10 Sep 2018 03:34:23 -0700 


     [ 
https://issues.apache.org/jira/browse/CXF-7334?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved CXF-7334.
--------------------------------------
    Resolution: Cannot Reproduce

We need a test-case to be able to reproduce the problem.

> HTTPS CN check errors when disableCNCheck is set to true
> --------------------------------------------------------
>
>                 Key: CXF-7334
>                 URL: https://issues.apache.org/jira/browse/CXF-7334
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 3.1.9, 3.1.10, 3.1.11
>         Environment: OpenJDK 1.8.0_121, JBoss EAP 6.4.3.GA
>            Reporter: Kisrákói Gyula
>            Priority: Major
>
> We get CN check errors in some of our deployments, although 'disableCNCheck' 
> is set to true in the config. The same application is deployed with the same 
> configuration and environment on two server instances. On the first server it 
> works, we get no such error, on the second server (which is cloned from the 
> first one) every request fails. I couldn't reproduce the error in our test 
> environment.
> I've excluded all JBoss's built-in CXF classes in the deployment descriptor, 
> so it's not a classloading problem, the CXF classes in use are the bundled 
> ones in the application.
> The HTTP conduit configuration for the client:
> {code}
> <http:conduit name="{<namespace>}<port>.http-conduit">
>       <http:tlsClientParameters disableCNCheck="true" 
> useHttpsURLConnectionDefaultHostnameVerifier="false" sslCacheTimeout="1">
> ...
> {code}
> The HTTP conduit configuration is applied to the requests, I see the 
> following in the debug log:
> {code}
> <date> DEBUG org.apache.cxf.transport.http.HTTPConduit - Conduit 
> '{<namespace>}<port>.http-conduit' has been configured for TLS keyManagers 
> [sun.security.ssl.SunX509KeyManagerImpl@a4cb362]trustManagers 
> [sun.security.ssl.X509TrustManagerImpl@34ed52cf]secureRandom nullDisable 
> Common Name (CN) Check: true
> {code}
> The error:
> {code}
>  <date> WARN org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for 
> {<namespace>}port#{<namespace>}<operation> has thrown exception, unwinding now
>  org.apache.cxf.interceptor.Fault: Could not send Message.
>       at 
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
>       at 
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
>       at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514)
>       at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423)
>       at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324)
>       at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277)
>       at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
>       at 
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139)
>       at com.sun.proxy.$Proxy241.<operation>(Unknown Source)
> .....
> Caused by: java.io.IOException: IOException invoking 
> https://<server-ip>:<port>/<service>/<path>: The https URL hostname does not 
> match the Common Name (CN) on the server certificate in the client's 
> truststore.  Make sure server certificate is correct, or to disable this 
> check (NOT recommended for production) set the CXF client TLS configuration 
> property "disableCNCheck" to true.
>       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>       at 
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>       at 
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>       at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>       at 
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1385)
>       at 
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1369)
>       at 
> hu.logesz.cxf.logging.LoggingOutInterceptor$OutputStreamWrapper.close(LoggingOutInterceptor.java:203)
>       at 
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
>       at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:653)
>       at 
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
>       ... 53 more
> Caused by: java.io.IOException: The https URL hostname does not match the 
> Common Name (CN) on the server certificate in the client's truststore.  Make 
> sure server certificate is correct, or to disable this check (NOT recommended 
> for production) set the CXF client TLS configuration property 
> "disableCNCheck" to true.
>       at 
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1291)
>       at 
> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:305)
>       at 
> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
>       at 
> org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
>       at 
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1341)
>       ... 57 more
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to