2

I am using Spring SAML to implement single sign on in my application. Evreything is integrated and works properly from SSO perspective. Another service of my application which also uses HTTP client post via Axis started failing with the following error

{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null

I have looked into the answer provided the link Spring Security SAML + HTTPS to another page and follow the same but to no avail.

Below is the configuration for TLSProtocolSocketFactory

    <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
    <property name="targetClass" value="org.apache.commons.httpclient.protocol.Protocol"/>
    <property name="targetMethod" value="registerProtocol"/>
    <property name="arguments">
        <list>
            <value>https</value>
            <bean class="org.apache.commons.httpclient.protocol.Protocol">
                <constructor-arg value="https"/>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory">
                        <constructor-arg ref="keyManager"/>
                        <constructor-arg><null/></constructor-arg>
                        <constructor-arg value="allowAll"/>
                    </bean>
                </constructor-arg>
                <constructor-arg value="443"/>
            </bean>
        </list>
    </property>
</bean>

I have imported the cert of the other service in samlKeystore.jks as well.

Any help in the issue will be apreciated

Community
  • 1
  • 1
Atif Siddiqui
  • 53
  • 7

2 Answers2

1

I think this may be what you're looking for: Source

You are using bean TLSProtocolConfigurer which changes trusted certificates and hostname verification of the HTTPS protocol in the HTTP Client. You can revert behaviour of the HTTP Client back to defaults by removing this bean. You will then need to make sure that certificates used by entities from which you load metadata (https://idp.ssocircle.com/idp-meta.xml) are trusted in your cacerts, or use an endpoints without https (http://idp.ssocircle.com/idp-meta.xml).

Alternatively, you can disable hostname verification by setting property sslHostnameVerification to allowAll on bean TLSProtocolConfigurer. You will also need to make sure that the HTTPS certificate of https://www.somepage.com (or its CA) is included in the samlKeystore.jks (see Spring SAML manual).

You can find more details on the TLSProtocolConfigurer bean in the Spring SAML manual, chapter HTTP-based metadata provider with SSL.

Community
  • 1
  • 1
blur0224
  • 972
  • 8
  • 26
  • Thanks @blur0224. I have posted the same link in the question above and followed the directions. Even after removing the above mentioned bean I am getting the exception `code` faultDetail: {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLException: Error in hostname verification at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:153) at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:118) – Atif Siddiqui Jul 28 '16 at 21:32
  • You can also get this error if you're trying to connect to a webservice using java that has a self signed certificate. Java needs to explicitly trust the cert by having it added to the JKS. Is it possible that you switched to a different JDK or updated to a new one around the same time that may not have that CA loaded? – blur0224 Jul 29 '16 at 11:40
  • I have the Sites CA loaded in both the samkeystore.jks and also the jre cacerts. One observation i have seen that when i use Spring TLSSocketProtocolFcatory than in the verifyHostname function of Opensaml TLSProtocolFactory host comes out to be null always when gets retrieved from sslsesion.getPeerHost()... – Atif Siddiqui Jul 30 '16 at 16:04
  • Anyone got the solution? Please help. – Kyaw Zin Htun Apr 17 '20 at 02:36
0

The issue is in checkNames() function of PKIXX509CredentialTrustEngine where we are checking the trustedNames collection only for null instead of "null or Empty".

Even though we are passing the value for trustedNames as null in TLSProtocolSocketFactory's getPKIXResolver() method to create StaticPKIXValidationInformatonResolver, the constructor of this class reinitialized the trustedNames collection to an empty collection.
Changing the line from
if(trustedNames == null) to

if(trustedNames == null || trustedNames.isEmpty())
fixed the problem for me.

Atif Siddiqui
  • 53
  • 7