Fix SSLHandshakeException while closing HTTPConduit #25148
Conversation
|
#spawn.fullfat.buckets=com.ibm.ws.jaxws.2.2.webcontainer_fat,com.ibm.ws.jaxws.2.2.webcontainer_fat_extended,com.ibm.ws.jaxws.cdi_fat,com.ibm.ws.jaxws.clientcontainer_fat,com.ibm.ws.jaxws.ejb_fat,com.ibm.ws.jaxws.X.wsat_fat,io.openliberty.xmlws.4.0.internal_fat,io.openliberty.ws.jaxws.global.handler.internal_fat,io.openliberty.jaxws.security_fat.ssl,io.openliberty.jaxws.security_fat.1,io.openliberty.jaxws.security_fat,com.ibm.ws.wssecurity_fat.wsscxf.1,com.ibm.ws.wssecurity_fat.wsscxf.2,com.ibm.ws.wssecurity_fat.wsscxf.3, com.ibm.ws.wssecurity_fat.wsscxf.4,com.ibm.ws.wssecurity_fat.wsscxf.saml.1,com.ibm.ws.wssecurity_fat.wsscxf.saml.2,com.ibm.ws.wssecurity_fat.wsscxf.saml.3,com.ibm.ws.wssecurity_fat.wsscxf.saml.4,com.ibm.ws.wssecurity_fat.wsscxf.saml.5,com.ibm.ws.wssecurity_fat.wsscxf.saml.6 |
|
#build |
|
Your personal build request is at https://wasrtc.hursley.ibm.com:9443/jazz/resource/itemOid/com.ibm.team.build.BuildResult/_sWlPYOgrEe2D8Kk7c5d7Ig Target locations of links might be accessible only to IBM employees. |
|
The build sawadood-25148-20230501-0831 For help analyzing your personal build, go to https://libh-proxy1.fyre.ibm.com/cognitive/buildAnalysis.html?uuid=_sWlPYOgrEe2D8Kk7c5d7Ig |
|
Personal build has 11 failures, all these failures have the same error ""invalid test bucket"" and not related to my fix. |
|
#run-libby-bot |
|
Tested this fix locally also and did not find any issues. |
Code analysis and actionsDO NOT DELETE THIS COMMENT.
|
|
|
||
| // Liberty start | ||
| boolean isRestMessage = | ||
| PropertyUtils.isTrue(message.getExchange().get(org.apache.cxf.message.Message.REST_MESSAGE)); |
There was a problem hiding this comment.
Can you confirm that org.apache.cxf.rest.message is present on MP Rest Client requests in addition to vanilla JAX-RS request please?
There was a problem hiding this comment.
Yes, I have tested that org.apache.cxf.rest.message is present on MP REST client requests.
| } | ||
|
|
||
| if (socketFactory != null) { | ||
| LOG.fine("SSL socketFactory: " + socketFactory.getClass().getCanonicalName()); // Liberty Change |
| LOG.fine("No trustManagers set on tlsClientParameters, so use Liberty's DefaultSSLSocketFactory"); | ||
| socketFactory = HttpsURLConnection.getDefaultSSLSocketFactory(); | ||
| } | ||
| // Liberty Change End |
There was a problem hiding this comment.
Move this // Liberty Change End to after line 178
| verifier = new AllowAllHostnameVerifier(); | ||
| } else if (!performHostNameVerification) { // Liberty Change Start | ||
| LOG.fine("TS012061109: performHostNameVerification is false, setting verifier to AllowAllHostnameVerifier."); |
| } | ||
| }); | ||
| performHostNameVerification = b.booleanValue(); | ||
| LOG.fine("TS012061109: Property com.ibm.ssl.performURLHostNameVerification is set to: " + performHostNameVerification); |
|
@sawadood I don't know why it's not allowing my to block the merge with "Request Changes", but I would like to see my comments addressed before you merge, thanks! |
| @@ -393,6 +409,7 @@ protected InputStream getInputStream() throws IOException { | |||
| in = connection.getInputStream(); | |||
| } catch (IOException ex) { | |||
| // ignore | |||
| LOG.fine("Ignoring unexpected exception in getInputStream(): " + ex); // Liberty Change | |||
There was a problem hiding this comment.
It seems to me that this code section might be incorrect (but would not cause a problem in most cases). They are attempting to get the "Error Stream". Shouldn't the if check here be if (in != null)?
Also, I'd suggest changing your log message to "Ignoring unexpected exception in getInputStream() when an error stream is present: "
| if (HTTPS_URL_PROTOCOL_ID.equals(url.getProtocol())) { | ||
|
|
||
| if (tlsClientParameters == null) { | ||
| LOG.fine("tlsClientParameters is NULL, get new"); // Liberty Change |
|
|
||
| // Liberty Change Start | ||
| if (verifier != null) { | ||
| LOG.fine("Hostname verifier obtained from SSLUtils.getHostnameVerifier: " + verifier.getClass().getCanonicalName()); |
There was a problem hiding this comment.
Suggestion: Remove the if check and change the line to the following so you'll know if it is null or not more easily:
LOG.fine(""Hostname verifier obtained from SSLUtils.getHostnameVerifier: " + (verifier==null? "null": verifier.getClass().getCanonicalName()));
There was a problem hiding this comment.
I think we should leave the if check, but only print a message if the verifier is null.
| } | ||
|
|
||
| if (tlsClientParameters != null) { | ||
| LOG.fine("isDisableCNCheck value in tlsClientParameters: " + tlsClientParameters.isDisableCNCheck()); |
There was a problem hiding this comment.
same suggestion here as above.
| HttpsURLConnection conn = (HttpsURLConnection) connection; | ||
| // Liberty Change Start | ||
| if (verifier != null) { | ||
| LOG.fine("Setting Hostname verifier to: " + verifier.getClass().getCanonicalName()); |
fixes #24986