[AMBARI-24447] No subject alternative DNS name exception encountered when Enabling Kerberos against an Active Directory even when SSL verification is off - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.7.0
Fix Version/s: 2.7.1
Component/s: ambari-server
Labels:
- pull-request-available

Description

No subject alternative DNS name exception encountered when Enabling Kerberos against an Active Directory even when SSL verification is off.

2018-08-09 14:48:28,275  WARN [ambari-client-thread-35] ADKerberosOperationHandler:471 - Failed to communicate with the Active Directory at ldaps://adserver.example.com:636: adserver.example.com:636
javax.naming.CommunicationException: adserver.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.]
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
...
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
...
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.
        at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1026)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:993)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)

Note: This occurs when the hostname embedded in the SSL certificate does not match the hostname of the Active Directory host and Open JDK 1.8.181-b13 is used. This is not seen when Oracle JDK is used.

Observed with this version of JDK

openjdk version "1.8.0_181"
OpenJDK Runtime Environment (build 1.8.0_181-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)

Not observed with this version of JDK

java version "1.8.0_112"
Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)

Solution
The org.apache.ambari.server.security.InternalSSLSocketFactory.LenientTrustManager class needs to extend javax.net.ssl.X509ExtendedTrustManager and do nothing in the additional overridden methods.

Attachments

Issue Links

links to

GitHub Pull Request #2012

GitHub Pull Request #2013

Activity

People

Assignee:: Robert Levas

Reporter:: Robert Levas

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 09/Aug/18 16:31

Updated:: 09/Aug/18 23:24

Resolved:: 09/Aug/18 20:29

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1h 20m