java - Host name verification in Spring Web Services -


i'd inquire on origins of difference in host verification behavior i'm observing spring web services, 2.2.2.release (under spring boot 1.3.0.m4) on java 1.7.

when configuring webservicetemplate use httpcomponentsmessagesender end error reading follows: 

i/o error: certificate <uswebservice.uat.hroffice.com> doesn't match of subject alternative names: [*.sbcsystems.com, sbcsystems.com]; nested exception javax.net.ssl.sslexception: certificate <uswebservice.uat.hroffice.com> doesn't match of subject alternative names: [*.sbcsystems.com, sbcsystems.com]

when reconfigure webservicetemplate use httpsurlconnectionmessagesender instead, above error disappears , call verify host name (as per rfc 2818) doesn't seem occur vs. how in above case (or @ least i'm unable trace it) although see spring's httpurlconnectionmessagesender's connection (sun.net.www.protocol.https.delegatehttpsurlconnection:https:// uswebservice.uat.hroffice.com/iwsuat/customs...) assigned respective host name verifier in createconnection() method (javax.net.ssl.httpsurlconnection$defaulthostnameverifier).

whether host name verification occurs or doesn't occur here in successful case (i'm inclined think still does, appreciate hand in discovering how it's been invoked) i'm questioning httpcomponentsmessagesender (the erroneous case) obtains certificate makes verification fail. checked cacerts file comes java installation (\jdk1.7.0_76\jre\lib\security) - it's not there. certificate present @ secure url (above) contains correct subject alt name:

not critical dns name: *.uat.hroffice.com dns name: uat.hroffice.com

whereas in case produces error, certificate seems have following values subject alt name field makes fail trying dereference uri above per spec : 

[8]: objectid: 2.5.29.17 criticality=false subjectalternativename [   dnsname: *.sbcsystems.com   dnsname: sbcsystems.com ]

the mysterious certificate in question visible in soapui (which how i'm able obtain in) running test in tool doesn't produce error - i'm assuming host name verification being somehow bypassed there (perhaps knows details).

the certificates 2 distinct ones have different expiration dates.

i tried disable host name verification via providing noop implementation of hostnameverifier seems questionable approach security in quest abandon i'm stumbled questions described above.

i appreciate in advance if shed bit more light @ symptoms i'm experiencing.

here related spring configurations: 

@bean public keystore keystore() throws throwable {     keystorefactorybean keystorefactory = new keystorefactorybean();     keystorefactory.setpassword(keystorepassword);     keystorefactory.setlocation(new classpathresource(keystorename));     keystorefactory.settype("jks");     keystorefactory.afterpropertiesset();     return keystorefactory.getobject(); }  @bean  public keymanager[] keymanagers() throws throwable{     keymanagersfactorybean keymanagerfactory = new keymanagersfactorybean();     keymanagerfactory.setkeystore(keystore());     keymanagerfactory.setpassword(keystorepassword);     keymanagerfactory.afterpropertiesset();     return keymanagerfactory.getobject(); }  @bean public httpsurlconnectionmessagesender httpsurlsender() throws throwable {     httpsurlconnectionmessagesender sender = new httpsurlconnectionmessagesender();     sender.setsslprotocol("tls");     sender.setkeymanagers(keymanagers());      /*sender.sethostnameverifier(new hostnameverifier() {          @override         public boolean verify(string arg0, sslsession arg1) {             return true;         }});*/     return sender; }     @bean public webservicetemplate webservicetemplate() throws throwable {     webservicetemplate webservicetemplate = new webservicetemplate();     webservicetemplate.setmarshaller(marshaller());     webservicetemplate.setunmarshaller(marshaller());     webservicetemplate.setdefaulturi(defaulturi);     webservicetemplate.setmessagefactory(messagefactory());     webservicetemplate.setmessagesender(/*new httpcomponentsmessagesender()*/httpsurlsender());     return webservicetemplate; }

when analyzing site @ ssllabs.com it's reported work in browsers sni support, perhaps fact it's used java has effect on above behavior (however java 1.7 seem have added correct sni behavior default)?

enter image description here


Comments

Post a Comment

Popular posts from this blog

html - Outlook 2010 Anchor (url/address/link) -

i'm trying link specific pdf page msoutlook'10 or msword'10, #page=... anchor particularly useful , works fine elsewhere. unfortunately when click [ctr-k] in outlook or winword, links re-formatted assuming unc path. pdf file located on shared drive. using "file:" prefix links open pdf in adobe reader (outside of browser), , "http:" open inside browser. issue seem need open in browser "file:" prefix in order anchor work. know anchors work inside browser. outlook uses windows/explorer default program (based on file extension) seems open in adobe reader neglecting anchor. is aware of solution, link specific page or bookmark of shared-pdf ms outlook and/or winword link? common references: mailermailer.com/...anchor-tags-html-emails campaignmonitor.com/...anchor-links-in-email-newsletters/ stackoverflow.com/...anchor-in-pdf-document
Read more

javascript - Why does running this loop 9 times take 100x longer than running it 8 times? -

consider code: test = function() { } t = new test(); (var = 0; < 8; i++) { result = t instanceof test; } if change number of iterations 8 9 , loop take 100 times longer complete in latest version of firefox (41.0.1). tested on 2 different pcs , magic limit 8. here jsperf test used: http://jsperf.com/instanceof-8-times-vs-9-times does have idea why might happen? seems specific instanceof . not happen if else object, example check property. note: filed bugzilla bug this. jan de mooij mozilla team has posted details in bugzilla thread . here's simplistic interpretation of highly technical answers: in i < 8 case, firefox smart enough hoist result = t instanceof test; statement out of loop (according tests, doesn't seem omit altogether). in i < 9 case, apparently doesn't optimization . why? reason not clear, related fact 9 iterations threshold above function considered "hot" enough run through jit compiler. i < 8 cas...
Read more

Getting gateway time-out Rails app with Nginx + Puma running on Digital Ocean -

following this guide setup app on digital ocean droplet, not working. site not loading , it's throwing: "gateway time-out". the puma server works, since ps aux | grep puma prints: root 15878 0.0 0.4 376832 2168 ? sl 12:50 0:00 puma 2.13.4 (unix:///var/www/myapp/shared/tmp/sockets/myapp-puma.sock) [20150930164940] root 15881 0.0 0.7 903676 3692 ? sl 12:50 0:06 puma: cluster worker 0: 15878 [20150930164940] root 24654 0.0 0.1 11748 916 pts/2 s+ 18:00 0:00 grep --color=auto puma my nginx config: user root; worker_processes 1; events { worker_connections 1024; } http { upstream puma { server unix:///var/www/myapp/shared/tmp/sockets/myapp-puma.sock; } server { listen 80; server_name myapp.com; root /var/www/myapp/current/public; access_log /var/www/myapp/current/log/access.log; error_log /...
Read more