Discussion:
CXF 3.0.4 client - how to disable CN checking
smq
2015-04-10 21:51:31 UTC
Permalink
I don't know how to programmatically disable CN checking with CXF 3.0.4
JAX-RS 2.0 client. My code is as follows:

System.setProperty("jsse.enableSNIExtension", "false");
HttpsURLConnection.setDefaultHostnameVerifier(
new HostnameVerifier(){

public boolean verify(String hostname,
SSLSession sslSession) {

return true;

}
});
Client client = ClientBuilderImpl.newClient();
String urlHost = "https://" + centralNode;
WebTarget target = client.target(urlHost).path(BASE_SERVICE_URL);
String encodedpw = Base64.encodeBase64String(passwd.getBytes());
String body = "{\"uid\" : \"" + uid + "\",\"password\": \"" + encodedpw +
"\"}";
logger.info("json body=" +body);
Response res =
target.request(MediaType.APPLICATION_JSON).post(Entity.entity(body,
MediaType.APPLICATION_JSON));

As you can see, I already tried to override the default hostnameverifier,
and set jsse.enableSNIExtension to false. None of these worked, i am still
getting the exception:

"The https URL hostname does not match the Common Name (CN) on the server
certificate in the client's truststore. Make sure server certificate is
correct, or to disable this check (NOT recommended for production) set the
CXF client TLS configuration property "disableCNCheck" to true."

Please help!



--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938.html
Sent from the cxf-user mailing list archive at Nabble.com.
Colm O hEigeartaigh
2015-04-13 16:02:34 UTC
Permalink
The default HostnameVerifier is only used if the
"useHttpsURLConnectionDefaultHostnameVerifier" attribute of the CXF TLS
ClientParameters Object is set to "true". See here:

http://cxf.apache.org/docs/tls-configuration.html

Alternatively you can just call "setDisableCNCheck(false)" on the
TLSClientParameters Object. See the following tests for some examples:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/transports/src/test/java/org/apache/cxf/systest/https/trust/TrustManagerTest.java;h=6264f447d87b7aad790ecec007ba69de43cab7c5;hb=HEAD
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSConduitTest.java;h=2f6844971dfc78854dc76870b267391e2be087ac;hb=HEAD

Colm.
Post by smq
I don't know how to programmatically disable CN checking with CXF 3.0.4
System.setProperty("jsse.enableSNIExtension", "false");
HttpsURLConnection.setDefaultHostnameVerifier(
new HostnameVerifier(){
public boolean verify(String hostname,
SSLSession sslSession) {
return true;
}
});
Client client = ClientBuilderImpl.newClient();
String urlHost = "https://" + centralNode;
WebTarget target =
client.target(urlHost).path(BASE_SERVICE_URL);
String encodedpw =
Base64.encodeBase64String(passwd.getBytes());
String body = "{\"uid\" : \"" + uid + "\",\"password\": \"" + encodedpw +
"\"}";
logger.info("json body=" +body);
Response res =
target.request(MediaType.APPLICATION_JSON).post(Entity.entity(body,
MediaType.APPLICATION_JSON));
As you can see, I already tried to override the default hostnameverifier,
and set jsse.enableSNIExtension to false. None of these worked, i am still
"The https URL hostname does not match the Common Name (CN) on the server
certificate in the client's truststore. Make sure server certificate is
correct, or to disable this check (NOT recommended for production) set the
CXF client TLS configuration property "disableCNCheck" to true."
Please help!
--
http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Colm O hEigeartaigh
2015-04-13 16:03:11 UTC
Permalink
Correction: "setDisableCNCheck(true)"

Colm.
Post by Colm O hEigeartaigh
The default HostnameVerifier is only used if the
"useHttpsURLConnectionDefaultHostnameVerifier" attribute of the CXF TLS
http://cxf.apache.org/docs/tls-configuration.html
Alternatively you can just call "setDisableCNCheck(false)" on the
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/transports/src/test/java/org/apache/cxf/systest/https/trust/TrustManagerTest.java;h=6264f447d87b7aad790ecec007ba69de43cab7c5;hb=HEAD
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSConduitTest.java;h=2f6844971dfc78854dc76870b267391e2be087ac;hb=HEAD
Colm.
Post by smq
I don't know how to programmatically disable CN checking with CXF 3.0.4
System.setProperty("jsse.enableSNIExtension", "false");
HttpsURLConnection.setDefaultHostnameVerifier(
new HostnameVerifier(){
public boolean verify(String hostname,
SSLSession sslSession) {
return true;
}
});
Client client = ClientBuilderImpl.newClient();
String urlHost = "https://" + centralNode;
WebTarget target =
client.target(urlHost).path(BASE_SERVICE_URL);
String encodedpw =
Base64.encodeBase64String(passwd.getBytes());
String body = "{\"uid\" : \"" + uid + "\",\"password\": \"" + encodedpw +
"\"}";
logger.info("json body=" +body);
Response res =
target.request(MediaType.APPLICATION_JSON).post(Entity.entity(body,
MediaType.APPLICATION_JSON));
As you can see, I already tried to override the default hostnameverifier,
and set jsse.enableSNIExtension to false. None of these worked, i am still
"The https URL hostname does not match the Common Name (CN) on the server
certificate in the client's truststore. Make sure server certificate is
correct, or to disable this check (NOT recommended for production) set the
CXF client TLS configuration property "disableCNCheck" to true."
Please help!
--
http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
smq
2015-04-13 22:44:41 UTC
Permalink
The links to the example code all point to pre-CXF3.0 client. I am using CXF
3.0.4 which implements jax-rs 2.0. The Client I use is
javax.ws.rs.client.Client. So the methods in the example do not apply.



--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756007.html
Sent from the cxf-user mailing list archive at Nabble.com.
Sergey Beryozkin
2015-04-14 02:57:58 UTC
Permalink
You do not use it correctly though,

HttpUrlConnection.setDefaultHostnameVerifier is not part of JAX-RS 2.0 API.

Can you set a verifier on ClientBuilder ? That should do it...

Cheers, Sergey
Post by smq
The links to the example code all point to pre-CXF3.0 client. I am using CXF
3.0.4 which implements jax-rs 2.0. The Client I use is
javax.ws.rs.client.Client. So the methods in the example do not apply.
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756007.html
Sent from the cxf-user mailing list archive at Nabble.com.
Sergey Beryozkin
2015-04-14 03:02:33 UTC
Permalink
You also use ClientBuilderImpl.newClient();

Impl is not needed, but besides that you need to do:

ClientBuilder builder = ClientBuilder.newBuilder();
and then set builder properties and create a client

Cheers, Sergey
Post by Sergey Beryozkin
You do not use it correctly though,
HttpUrlConnection.setDefaultHostnameVerifier is not part of JAX-RS 2.0 API.
Can you set a verifier on ClientBuilder ? That should do it...
Cheers, Sergey
Post by smq
The links to the example code all point to pre-CXF3.0 client. I am using CXF
3.0.4 which implements jax-rs 2.0. The Client I use is
javax.ws.rs.client.Client. So the methods in the example do not apply.
--
http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756007.html
Sent from the cxf-user mailing list archive at Nabble.com.
smq
2015-04-15 21:06:18 UTC
Permalink
Tried to set HostnameVerifier on ClientBuilder - does not work :-( Here is
the code snippet:

ClientBuilder clientBuilder = ClientBuilder.newBuilder();
clientBuilder.hostnameVerifier(new HostnameVerifier(){
public boolean verify(String hostname, SSLSession sslSession) {
return true;
}
});
Client client = clientBuilder.newClient();
//Client client = ClientBuilderImpl.newClient();
String urlHost = "https://" + centralNode;
WebTarget target = client.target(urlHost).path(BASE_SERVICE_URL);
String encodedpw = Base64.encodeBase64String(passwd.getBytes());
String body = "{\"uid\" : \"" + uid + "\",\"password\": \"" + encodedpw +
"\"}";
Invocation.Builder builder = target.request(MediaType.APPLICATION_JSON);
Response res = builder.post(Entity.entity(body,
MediaType.APPLICATION_JSON));

Still getting Common Name mismatch exception.





--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756092.html
Sent from the cxf-user mailing list archive at Nabble.com.
Sergey Beryozkin
2015-04-17 14:32:50 UTC
Permalink
I have this test:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRS20HttpsBookTest.java;h=818749cf01186d905932e763849471baec407421;hb=HEAD

If I remove the line where the hostname verifier is registered I get an
error coming out Java HttpsClient that 'localhost' is problematic...

KeyStore 'keyStore' is not needed if the server requires no TLS client
authentication.

What is different in your case ?

Sergey
Post by smq
Tried to set HostnameVerifier on ClientBuilder - does not work :-( Here is
ClientBuilder clientBuilder = ClientBuilder.newBuilder();
clientBuilder.hostnameVerifier(new HostnameVerifier(){
public boolean verify(String hostname, SSLSession sslSession) {
return true;
}
});
Client client = clientBuilder.newClient();
//Client client = ClientBuilderImpl.newClient();
String urlHost = "https://" + centralNode;
WebTarget target = client.target(urlHost).path(BASE_SERVICE_URL);
String encodedpw = Base64.encodeBase64String(passwd.getBytes());
String body = "{\"uid\" : \"" + uid + "\",\"password\": \"" + encodedpw +
"\"}";
Invocation.Builder builder = target.request(MediaType.APPLICATION_JSON);
Response res = builder.post(Entity.entity(body,
MediaType.APPLICATION_JSON));
Still getting Common Name mismatch exception.
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756092.html
Sent from the cxf-user mailing list archive at Nabble.com.
smq
2015-04-20 13:34:51 UTC
Permalink
The differences I can see:
- you are calling ClientBuilder.build() - in my CXF3.0.4, ClientBuilder does
not have build() method, so I am using newClient()
- you are setting keyStore
- you are setting trustManager



--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756289.html
Sent from the cxf-user mailing list archive at Nabble.com.
Sergey Beryozkin
2015-04-20 14:10:37 UTC
Permalink
Post by smq
- you are calling ClientBuilder.build() - in my CXF3.0.4, ClientBuilder does
not have build() method, so I am using newClient()
I'm not calling a static .build() method, I'm calling it on a
ClientBuilder instance
Post by smq
- you are setting keyStore
As I said - that is not needed if no two-way TLS is required
Post by smq
- you are setting trustManager
Yes. My understanding this is needed if a server provides a certificate
and a hostname verifier is used if you need to customize the certificate
validation process (re checking the host names).

I don't understand how you can use a hostname verifier if you have no
trustManager ? Is it a valid combination ?

Sergey
Post by smq
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756289.html
Sent from the cxf-user mailing list archive at Nabble.com.
Sergey Beryozkin
2015-04-20 14:19:15 UTC
Permalink
plain HTTPS server...
So - please do ClientBuilder.build(), set a verifier only,
and test (we thought you probably have a 'plain' HTTP server running
locally). If it still does not work - please provide a maven based project
Sergey
Post by Sergey Beryozkin
Post by smq
- you are calling ClientBuilder.build() - in my CXF3.0.4,
ClientBuilder does
not have build() method, so I am using newClient()
I'm not calling a static .build() method, I'm calling it on a
ClientBuilder instance
Post by smq
- you are setting keyStore
As I said - that is not needed if no two-way TLS is required
Post by smq
- you are setting trustManager
Yes. My understanding this is needed if a server provides a certificate
and a hostname verifier is used if you need to customize the certificate
validation process (re checking the host names).
I don't understand how you can use a hostname verifier if you have no
trustManager ? Is it a valid combination ?
Sergey
Post by smq
--
http://cxf.547215.n5.nabble.com/CXF-3-0-4-client-how-to-disable-CN-checking-tp5755938p5756289.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com
Loading...