5 Replies Latest reply on Apr 1, 2014 7:46 AM by eguzel

JBoss 7.2 exception The https URL hostname does not match the Common Name (CN) on the server certificate.

crumbs May 6, 2013 8:34 PM

I am seeing this exception when a ws client is trying to connect to a https service.

Caused by: java.io.IOException: The https URL hostname does not match the Common Name (CN) on the server certificate.
To disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true.

I have tried the following one at a time, and all together. And the error persists.

It is true that the service URL has an ip address whereas the ssl cert has the hostname.

But for pre-production testing, it should be possible to turn this check off.

In the client call:

System.setProperty("org.jboss.security.ignoreHttpsHost", "true");

In standalone.conf:

JAVA_OPTS="$JAVA_OPTS -Dorg.jboss.security.ignoreHttpsHost=true"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=ssl,handshake"

In the client call:

HTTPConduit conduit = (HTTPConduit) clientProxy.getConduit();
TLSClientParameters tlsParams = new TLSClientParameters();
tlsParams.setTrustManagers(simpleTrustManager);
tlsParams.setDisableCNCheck(true);
conduit.setTlsClientParameters(tlsParams);

Also tried setting these:
tlsParams.setSecureSocketProtocol("SSL");
tlsParams.setSecureSocketProtocol("SSLv3");

Tried this where hostnameVerifier always returns true:
HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);

ssl debug trace indictates that the server cert is found in the client keystore but the connection is getting invalidated because of the above exception.

jboss-deployment-structure has 2 dependencies:

Is there any configuration I am missing. I am using 7.2 built from source from GitHub with no other changes.

1. Re: JBoss 7.2 exception The https URL hostname does not match the Common Name (CN) on the server certificate.

asoldano May 8, 2013 5:51 AM (in response to crumbs)

Is the jbossws-cxf integration actually being used on client side? If that's the case, the org.jboss.security.ignoreHttpsHost being set to true should really "solve" the problem. Otherwise, setting tlsParams.setDisableCNCheck(true); programmatically might not help if the problem is during WSDL retrieval (see the discussion at https://community.jboss.org/message/811221#811221 on this).
Actions
2. Re: JBoss 7.2 exception The https URL hostname does not match the Common Name (CN) on the server certificate.

crumbs May 8, 2013 6:24 AM (in response to asoldano)

Yes, the jbossws-cxf integration is being used on the client side. The wsdl is local, within the client war file.
It is only when System.setProperty("org.jboss.security.ignoreHttpsHost", "true") did not seem to work that I added the tlsParams.setDisableCNCheck(true) code.

The service is https enabled. The client is not. It is when the client is making a call that this is happening. Service.create(), getPort() and all works.
This was working in Jboss 7.1.1 and 7.1.3. So I was just wondering if I missed some configuration in Jboss 7.2

Thanks so much.
Actions
3. Re: JBoss 7.2 exception The https URL hostname does not match the Common Name (CN) on the server certificate.

yan.langlois Oct 3, 2013 6:50 AM (in response to crumbs)

I have the same problem.

org.jboss.security.ignoreHttpsHost does not seem to work on JBoss 7.2.

Have you found a solotion to your problem ?
Actions
4. Re: JBoss 7.2 exception The https URL hostname does not match the Common Name (CN) on the server certificate.

crumbs Mar 12, 2014 12:14 PM (in response to yan.langlois)

Yan,Unfortunately, no.

Neither of these worked for me.
System.setProperty("org.jboss.security.ignoreHttpsHost", "true");
In standalone.conf:
JAVA_OPTS="$JAVA_OPTS -Dorg.jboss.security.ignoreHttpsHost=true"
I read somewhere that System.setProperty has random issues, it does not always work.
The JAVA_OPT solution did not work either.

I had to switch to Spring-WS because there was a bug in an underlying apache library, wss4j I think, in CXF at that time, related to SAML.
I had to implement a Spring-WS method to turn off hostname checking.

-Indira
Actions
5. Re: JBoss 7.2 exception The https URL hostname does not match the Common Name (CN) on the server certificate.

eguzel Apr 1, 2014 7:46 AM (in response to crumbs)

I had the same problem also. After hours of debugging i decided that is a bug in Jboss 7.2 and cxf integration. I replaced the cxf module(and also woodstox) in Jboss 7.2 with the one from Jboss 8 and it works now.
Actions

Go to original post