[sec-proxy] fix SNI support / upgrade to httpclient 4.3.2 ?

[landryb]

Similar to geonetwork/core-geonetwork#1368, our sec-proxy trips on an https server with SNI:

security [ERROR] Exception occured when trying to connect to the remote host:
javax.net.ssl.SSLException: hostname in certificate didn't match: <wms.craig.fr> != <ids.craig.fr> OR <ids.craig.fr> OR <craig.fr>

We use httpclient 4.2.1 in security-proxy, and if i replace the jar by httpclient 4.3.2 (which fixes/supports SNI) and httpcore-4.3.1 (the versions i have in geonetwork) it's still broken/fails to fetch the getcapabilities.

STR: on sdi.georchestra.org/mapfishapp, try to load https://wms.craig.fr/ortho

[landryb]

Same issue with httpclient-4.3.3 & httpcore-4.3.2 copied from extractorapp webapp

[landryb]

More contect for the traceback:

javax.net.ssl.SSLException: hostname in certificate didn't match: <wxs.craig.fr> != <ids.craig.fr> OR <ids.craig.fr> OR <craig.fr>
        at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:231)
        at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
        at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:152)
        at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:133)
        at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:559)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:534)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:401)
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
        at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
        at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
        at org.georchestra.security.Proxy.executeHttpRequest(Proxy.java:755)
        at org.georchestra.security.Proxy.handleRequest(Proxy.java:692)
        at org.georchestra.security.Proxy.handleUrlParamRequest(Proxy.java:313)
        at org.georchestra.security.Proxy.handleUrlGETRequest(Proxy.java:271)

And the request on sdi.georchestra.org via curl to set the Referer:

curl -H 'Referer: https://sdi.georchestra.org/' "https://sdi.georchestra.org/proxy/?url=https://wms.craig.fr/ortho?REQUEST=GetCapabilities&SERVICE=WMS&FORMAT=image%2Fpng"

[landryb]

I can confirm that it works fine now, in production on https://ids.craig.fr/, thanks @pmauduit . Only remaining issue is that to be really full-https, the services have to be tweaked/reconfigured to provide https urls too in the OnlineResource parts of the GetCapabilities document. Sigh, this https thing is a never ending horror.