Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7334

HTTPS CN check errors when disableCNCheck is set to true

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Cannot Reproduce
    • 3.1.9, 3.1.10, 3.1.11
    • None
    • Transports
    • None

    • OpenJDK 1.8.0_121, JBoss EAP 6.4.3.GA

    • Unknown

    Description

      We get CN check errors in some of our deployments, although 'disableCNCheck' is set to true in the config. The same application is deployed with the same configuration and environment on two server instances. On the first server it works, we get no such error, on the second server (which is cloned from the first one) every request fails. I couldn't reproduce the error in our test environment.

      I've excluded all JBoss's built-in CXF classes in the deployment descriptor, so it's not a classloading problem, the CXF classes in use are the bundled ones in the application.

      The HTTP conduit configuration for the client:

      <http:conduit name="{<namespace>}<port>.http-conduit">
	<http:tlsClientParameters disableCNCheck="true" useHttpsURLConnectionDefaultHostnameVerifier="false" sslCacheTimeout="1">
...

      The HTTP conduit configuration is applied to the requests, I see the following in the debug log:

      <date> DEBUG org.apache.cxf.transport.http.HTTPConduit - Conduit '{<namespace>}<port>.http-conduit' has been configured for TLS keyManagers [sun.security.ssl.SunX509KeyManagerImpl@a4cb362]trustManagers [sun.security.ssl.X509TrustManagerImpl@34ed52cf]secureRandom nullDisable Common Name (CN) Check: true

      The error:

       <date> WARN org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {<namespace>}port#{<namespace>}<operation> has thrown exception, unwinding now
 org.apache.cxf.interceptor.Fault: Could not send Message.
	at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
	at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277)
	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139)
	at com.sun.proxy.$Proxy241.<operation>(Unknown Source)
.....
Caused by: java.io.IOException: IOException invoking https://<server-ip>:<port>/<service>/<path>: The https URL hostname does not match the Common Name (CN) on the server certificate in the client's truststore.  Make sure server certificate is correct, or to disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true.
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1385)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1369)
	at hu.logesz.cxf.logging.LoggingOutInterceptor$OutputStreamWrapper.close(LoggingOutInterceptor.java:203)
	at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
	at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:653)
	at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
	... 53 more
Caused by: java.io.IOException: The https URL hostname does not match the Common Name (CN) on the server certificate in the client's truststore.  Make sure server certificate is correct, or to disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true.
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1291)
	at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:305)
	at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
	at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1341)
	... 57 more

      Attachments

        Activity

          People

            Unassigned Unassigned
            juliusk Kisrákói Gyula
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: