1

We have an application deployed in Jboss SOA 5.3.1. Created self signed certificate in both server and client and it is 1 way ssl. But both server and client certificate created with hostname and end point is registered with IP address. We are using

protocol-socket-factory=org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory

configured in httpClient.properties. But when hitting the end point, exception is thrown saying

org.jboss.soa.esb.actions.ActionProcessingException: problem processing HTTP I/O: hostname in certificate didn't match: <15.191.34.56> != hostname.

Please let me know how to disable the host name verification for Strict SSL?

halfer
  • 19,824
  • 17
  • 99
  • 186
Ashwini
  • 63
  • 2
  • 8

2 Answers2

1

Turning off host name verification would make your connection vulnerable to MITM attacks. This isn't the right way to fix this.

The problem you have comes from the fact you're using an IP address, and not a host name. Java follows RFC 2818 strictly on this point (unlike some browsers):

In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

When you generate your certificate, make sure you put the IP address in the Subject Alternative Name (of type IP address), as described here. Alternatively, use host names instead (although it's still recommended to put the name in the SAN anyway).

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • I have created a custom class extending StrictSSL provided by apache and set false in the default contructor which worked but its security breach. – Ashwini Feb 25 '14 at 10:16
  • Up to you, but is it really less work than generating a new certificate with the right SAN (also considering you may have to fix that code in a later deployment of your application, so as to remove this potential vulnerability)? – Bruno Feb 25 '14 at 10:21
0

The whole SSL certification for webs is based on hostnames. You cannot simply turn off the "host name verification" because it is part of standard.

To overcame this problem you need to call host by its name specified in issued certificate. If you have central DNS server it is best to configure host names there. If not you can use hosts files on boxes that need to communicate.

  • On Windows it will be in: Drive:\Windows\System32\drivers\etc\hosts
  • On Linux it is in /etc/hosts

Add following line: 15.191.34.56 hostName.with.cert.issued

In your code call server by its name, also you need to make sure JBoss is listening on this name.

JJ Roman
  • 4,225
  • 1
  • 27
  • 21
  • Configuration is done in /etc/hosts for IP address and hostname Client has few services registered end point with IP address and they cannot change it to hostname. I have tried with AUTHSSL and EasySSL also. I read for StrictSSL there is way to disable hostname verification and i tried with all possibility to disable hostname. In httpClient.properties i have added the following conf STRICTSSL=false StrictSSLProtocolSocketFactory.setHostnameVerification=false above values are not honoured – Ashwini Feb 22 '14 at 09:57
  • I see, then maybe it would be possible to add wrapper for the socket factory? And in default constructor call base class's constructor with false parameter. http://svn.apache.org/repos/asf/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/StrictSSLProtocolSocketFactory.java – JJ Roman Feb 22 '14 at 11:31