-
Notifications
You must be signed in to change notification settings - Fork 582
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mpRestClient-1.3 ignoring hostnameVerifier configuration #11108
Comments
A couple things I've noticed.... First, a side-note. Apparently one can set hostname verification at the SSL config level without applying the Second, There appear to be two, somewhat redundant, hostname verification levels implemented in Open Liberty.... One level is the server SSL config, where one can optionally set
A second level of hostname verification appears to be applied by the Apache CXF (the Impl for mpRestClients in Open Liberty) when For the time being, hostname verification in Open Liberty appears to be redundantly enabled, but with no way to disable. |
After testing with a older-style JAX-RS-2.1 client, I've got incontrovertible proof that this issue isn't due to something unique about my own appserver environment. The mpRestClient-1.3
Please fix ASAP, as I really need to be able to make use of the mpConfig aspects of my mpRestClient. |
Describe the bug
I have a server I'm calling where the domain doesn't exactly match the domain defined in the certificate loaded into my custom keystore. I've tried configuring a hostnameVerifier on my mpRestClient using both CDI-configured mpConfig properties from
microprofile-config.properties
as well as, alternatively, using a programmatically loaded client. In both cases, my customHostnameVerifier
appears to be totally ignored in favor of the Apache CXForg.apache.cxf.transport.https.httpclient.DefaultHostnameVerifier
, which results in failure.Here's how I configure when using a CDI-injected mpRestClient...
Here's how I configure when using a programmatically-configured mpRestClient...
Here's my custom hostnameVerifier class...
Steps to Reproduce
Run a CDI-configured or programmatically-configured mpRestClient (while using a custom keystore - because that might be an important aspect of this issue), using configuration like I provided further above, and call a server that accepts the certificate but where the DNS name does not exactly match that defined in the certificate.
One can verify that the precondition is in place by enabling the
transportSecurity-1.0
feature and settingverifyHostname="true"
on thedefaultSSLConfig
(and ensurekeyStoreRef
is valued with your custom keystore Id). In such case, you should see something like...Expected behavior
Hostname verification should pass and I should see the following written to the message.log file...
Instead, hostname verification fails and I find no evidence that my custom
SSLAffirmativeHostnameVerifier
is ever invoked. I also get the stacktrace above, which clearly shows thatorg.apache.cxf.transport.https.httpclient.DefaultHostnameVerifier
is being used for hostname verification instead of my custom hostname verifier class.Diagnostic information:
product = Open Liberty 20.0.0.2 (wlp-1.0.37.cl200220200204-1746)
java.version = 11.0.5
java.runtime = OpenJDK Runtime Environment (11.0.5+10)
os = Windows 10 (10.0; amd64) (en_US)
server.xml...
configDropins/defaults/keystore.xml...
jvm.options...
custom.security...
Additional context
Note that I am using the openliberty-microProfile3 package run via...
Note that I use a custom keystore. I have already opened another issue (#11103) regarding unnecessarily having to use the
appSecurity-2.0
(or 3.0) feature, instead of justssl-1.0
ortransportSecurity-1.0
, in order for my custom keystore to be utilized. Whether that has any bearing to this issue is unknown to me, but I thought I'd mention it.The text was updated successfully, but these errors were encountered: