WSO2 IntegrationStudio 8.2.0 Disable Verification

Question

Thanks to @ycr (:-)) I made some steps forward, but I still got SSL errors when trying to reach an endpoint requiring SSL on client side (i.e. p12 certificate or .crt/.key equivalent). I followed this as suggested by ycr. Now, when I call the endpoint from Postman through wso mi, (the embedded instance in Integration Studio) it throws: "Host name verification failed for host", exception referred to: org.apache.synapse.transport.http.conn.ClientSSLSetupHandler.verify(ClientSSLSetupHandler.java:182).

Now, as I said in my previous post, I can successfully connect with the endpoint (https://37.186.199.242:6443/web-app) by Python script:

cert = path\cert.crt
key = path\cert.key
headers = {'Content-type': 'application/json', 'Accept': 'application/json, text/plain, */*'}
data = json.dumps(None)
response = requests.post("https://37.186.199.242:6443/web-app", data=data, headers=headers, cert=(cert,key), verify=False)

which gives me the same response as querying the URL by chrome with installed cert.p12 certificate.

but, when I try the requests.post with verify=True, I got the following python exception:

requests.exceptions.SSLError: HTTPSConnectionPool(host='37.186.199.242', port=6443): Max retries exceeded with url: /web-app (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)')))

which sounds pretty much the same as the SSLException thrown by ClientSSLSetupHandler. Thus, I reckon, should I replicate in wso mi the same behaviour, by disabling host verification? Looking at java ClientSSLSetupHandler.java Class source code, this is achieved by setting HostnameVerifier = AllowAll.

as for inline code:
/** * The ALLOW_ALL HostnameVerifier essentially turns hostname verification * off. This implementation is a no-op, and never throws the SSLException. */ promising! But how to set that?

I got through several post. Best guess i could find is here, suggesting to include in axis2.xml the following.

<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender">
   <!--...-->
   <!--supports Strict|AllowAll|DefaultAndLocalhost or the default if none specified -->
   <parameter name="HostnameVerifier">AllowAll</parameter>
   <!--supports Strict|AllowAll|DefaultAndLocalhost or the default if none specified -->
</transportSender>

1. Not sure I should adjust the transportSender class attribute to target class="org.apache.synapse.transport.http.conn.ClientSSLSetupHandler" or eventually some other superclass or abstract classes.
2. It seems axis2.xml is rewrote by the MI engine anytime I start it up. Thus, there must be another way! Any suggestion? Thanks in advance

p.s. as I'm getting really hot on wso, but it is a rather complicated world, is there a document which I can study explaining (for dummies like me:-) how each piece is connected? I mean: carbon, synapse, axis2, wso application manager, wso micro integrator and its dashboard, esb...

Answer 1

Disabling Hostname verification is not a good practice. Ideally, you should be creating proper certificates with a proper domain name and use the domain name to access the service rather than the IP. If you want to disable hostname verification try adding the following to deployment.toml

[transport.http]
sender.hostname_verifier = "AllowAll"

Update

Since you have a public IP I just checked your cert and it doesn't look correct.

Your CN should be something like *.dflight.com, then you should use this hostname to access the service(e.g: https://staging.dflight.com). If you haven't purchased this domain, you can add this to your hosts file and access it.

Take a look at the following cert used by WSO2.

This answer will also help you I believe.

Answer 2

thank you ycr again. We do have wild card certificate for our production web site. Client SSL certificates are used to limit access to some parts of the site such as staging and pre-production, backoffice admin or other reserved areas, which are not for public access, although exposed on public internet. It is our supplier which manages the generation of such certificates and for reasons which I don't know it's using self CA certificates. To give you an idea, find here a snapshot of the .p12 client side certificate which was released to me. The only thing I can do for the time being is trying to disable host name verification :-(, hope it works as it does on pyhton implementation.