-
Notifications
You must be signed in to change notification settings - Fork 582
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix SSLHandshakeException while closing HTTPConduit #25148
Fix SSLHandshakeException while closing HTTPConduit #25148
Conversation
#spawn.fullfat.buckets=com.ibm.ws.jaxws.2.2.webcontainer_fat,com.ibm.ws.jaxws.2.2.webcontainer_fat_extended,com.ibm.ws.jaxws.cdi_fat,com.ibm.ws.jaxws.clientcontainer_fat,com.ibm.ws.jaxws.ejb_fat,com.ibm.ws.jaxws.X.wsat_fat,io.openliberty.xmlws.4.0.internal_fat,io.openliberty.ws.jaxws.global.handler.internal_fat,io.openliberty.jaxws.security_fat.ssl,io.openliberty.jaxws.security_fat.1,io.openliberty.jaxws.security_fat,com.ibm.ws.wssecurity_fat.wsscxf.1,com.ibm.ws.wssecurity_fat.wsscxf.2,com.ibm.ws.wssecurity_fat.wsscxf.3, com.ibm.ws.wssecurity_fat.wsscxf.4,com.ibm.ws.wssecurity_fat.wsscxf.saml.1,com.ibm.ws.wssecurity_fat.wsscxf.saml.2,com.ibm.ws.wssecurity_fat.wsscxf.saml.3,com.ibm.ws.wssecurity_fat.wsscxf.saml.4,com.ibm.ws.wssecurity_fat.wsscxf.saml.5,com.ibm.ws.wssecurity_fat.wsscxf.saml.6 |
#build |
Your personal build request is at https://wasrtc.hursley.ibm.com:9443/jazz/resource/itemOid/com.ibm.team.build.BuildResult/_sWlPYOgrEe2D8Kk7c5d7Ig Target locations of links might be accessible only to IBM employees. |
The build sawadood-25148-20230501-0831 For help analyzing your personal build, go to https://libh-proxy1.fyre.ibm.com/cognitive/buildAnalysis.html?uuid=_sWlPYOgrEe2D8Kk7c5d7Ig |
Personal build has 11 failures, all these failures have the same error ""invalid test bucket"" and not related to my fix. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks great! Especially, I believe added traces will helps us tremendously!!
#run-libby-bot |
Tested this fix locally also and did not find any issues. |
Code analysis and actionsDO NOT DELETE THIS COMMENT.
|
|
||
// Liberty start | ||
boolean isRestMessage = | ||
PropertyUtils.isTrue(message.getExchange().get(org.apache.cxf.message.Message.REST_MESSAGE)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you confirm that org.apache.cxf.rest.message
is present on MP Rest Client requests in addition to vanilla JAX-RS request please?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I have tested that org.apache.cxf.rest.message is present on MP REST client requests.
} | ||
|
||
if (socketFactory != null) { | ||
LOG.fine("SSL socketFactory: " + socketFactory.getClass().getCanonicalName()); // Liberty Change |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Liberty Change End
LOG.fine("No trustManagers set on tlsClientParameters, so use Liberty's DefaultSSLSocketFactory"); | ||
socketFactory = HttpsURLConnection.getDefaultSSLSocketFactory(); | ||
} | ||
// Liberty Change End |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move this // Liberty Change End
to after line 178
verifier = new AllowAllHostnameVerifier(); | ||
} else if (!performHostNameVerification) { // Liberty Change Start | ||
LOG.fine("TS012061109: performHostNameVerification is false, setting verifier to AllowAllHostnameVerifier."); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove TS012061109
} | ||
}); | ||
performHostNameVerification = b.booleanValue(); | ||
LOG.fine("TS012061109: Property com.ibm.ssl.performURLHostNameVerification is set to: " + performHostNameVerification); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove TS012061109
@sawadood I don't know why it's not allowing my to block the merge with "Request Changes", but I would like to see my comments addressed before you merge, thanks! |
@@ -393,6 +409,7 @@ protected InputStream getInputStream() throws IOException { | |||
in = connection.getInputStream(); | |||
} catch (IOException ex) { | |||
// ignore | |||
LOG.fine("Ignoring unexpected exception in getInputStream(): " + ex); // Liberty Change |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems to me that this code section might be incorrect (but would not cause a problem in most cases). They are attempting to get the "Error Stream". Shouldn't the if check here be if (in != null)
?
Also, I'd suggest changing your log message to "Ignoring unexpected exception in getInputStream() when an error stream is present: "
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Just a couple comments/suggestions.
if (HTTPS_URL_PROTOCOL_ID.equals(url.getProtocol())) { | ||
|
||
if (tlsClientParameters == null) { | ||
LOG.fine("tlsClientParameters is NULL, get new"); // Liberty Change |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor: Change get
to create
|
||
// Liberty Change Start | ||
if (verifier != null) { | ||
LOG.fine("Hostname verifier obtained from SSLUtils.getHostnameVerifier: " + verifier.getClass().getCanonicalName()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion: Remove the if check and change the line to the following so you'll know if it is null or not more easily:
LOG.fine(""Hostname verifier obtained from SSLUtils.getHostnameVerifier: " + (verifier==null? "null": verifier.getClass().getCanonicalName()));
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should leave the if check, but only print a message if the verifier is null.
} | ||
|
||
if (tlsClientParameters != null) { | ||
LOG.fine("isDisableCNCheck value in tlsClientParameters: " + tlsClientParameters.isDisableCNCheck()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same suggestion here as above.
HttpsURLConnection conn = (HttpsURLConnection) connection; | ||
// Liberty Change Start | ||
if (verifier != null) { | ||
LOG.fine("Setting Hostname verifier to: " + verifier.getClass().getCanonicalName()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same comment
fixes #24986