Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1048208

Summary: SSL exception in REST Binding when calling HTTPS service
Product: [JBoss] JBoss Fuse Service Works 6 Reporter: Thiago Araki <taraki>
Component: SwitchYardAssignee: Aileen <aileenc>
Status: CLOSED UPSTREAM QA Contact: Matej Melko <mmelko>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.0CC: kejohnso, soa-p-jira
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-02-10 03:34:46 UTC Type: Enhancement
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
EJB tested none

Description Thiago Araki 2014-01-03 11:42:09 UTC 
Description of problem:
We are getting the following error when we invoke a service that uses SSL with JBoss FSW, using a RESTEasy service reference in SwitchYard: 

Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match: <localhost> != <cics teste> at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:228) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] 

We tried all bellow with no success: 
1. KBase - (https://access.redhat.com/site/solutions/345833) We tried on several places. EJB startup (see code attached), on standalone app or embedded EJB into our app. 

2. Changed modules/sun/main/module.xml and added the following line: <path name="com/sun/net/ssl/internal/ssl"/>

3. Added the following line JAVA_OPTS="$JAVA_OPTS -Dorg.jboss.security.ignoreHttpsHost=true" to standalone.xml file. 

4. Run the script ./standalone.sh -Dorg.jboss.security.ignoreHttpsHost=true (raw parameter)

Version-Release number of selected component (if applicable):
6.0 ER7

How reproducible:
Easy

Steps to Reproduce:
1. Import certificate with mismatched CN to FSW (EAP 6.1)
2. Call HTTPS service using REST Binding

Actual results:
SSL Exception (hostname in certificate didn't match).

Expected results:
SSL Service should work.

Additional info:
Injected (via Byteman) the following code in https://github.com/jboss-switchyard/components/blob/master/resteasy/src/main/java/org/switchyard/component/resteasy/util/ClientInvoker.java and it worked:

HttpsURLConnection.setDefaultHostnameVerifier( org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)
Comment 1 Thiago Araki 2014-01-03 11:43:14 UTC 
Created attachment 844931 [details]
EJB tested
Comment 3 Thiago Araki 2014-01-03 12:02:58 UTC 
Byteman script (workaround) that made it work:

RULE ViavarejoHTTPS Thread monitor
CLASS org.apache.http.conn.ssl.SSLSocketFactory
METHOD <init>
AT EXIT
IF TRUE 
DO
       $0.setHostnameVerifier(org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
ENDRULE
Comment 4 Keith Babo 2014-01-06 16:58:56 UTC 
This will be considered as an enhancement for the next release, likely by exposing a configuration property specific to hostname verification.
Comment 6 Magesh Kumar Bojan 2015-07-09 06:00:44 UTC 
Although it is a security hole to disable hostname verification, it has been provided as a configuration feature in the linked JIRA.
Comment 15 Red Hat Bugzilla 2025-02-10 03:34:46 UTC 
This product has been discontinued or is no longer tracked in Red Hat Bugzilla.