Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1102465

Summary: Problem with SSL certificates when running clients against translate.zanata.org
Product: [Retired] Zanata Reporter: Carlos Munoz <camunoz>
Component: Component-Maven, Component-zanata-client, Component-zanata-client-ivyAssignee: Damian Jansen <djansen>
Status: CLOSED CURRENTRELEASE QA Contact: Ding-Yi Chen <dchen>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 3.4CC: dchen, sflaniga, zanata-bugs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: org.zanata:zanata-maven-plugin:3.3.2-SNAPSHOT(d3b0682220b0e92bad73f10a52ae3baf6a910c71) Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1102480 (view as bug list) Environment:
Last Closed: 2014-05-30 00:38:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1102480    

Description Carlos Munoz 2014-05-29 03:44:16 UTC 
Description of problem:
There is an issue with SSL negotation when connecting the java-based clients to translate.zanata.org
The client refuses to connect with an SSLException (detailed below), and no operations are able to run.

Version-Release number of selected component (if applicable):
Client 3.2.x (although it's possible all versions are affected)

How reproducible:
Always

Steps to Reproduce:
1. Try to run any client (maven or otherwise) command against translate.zanata.org

Actual results:
The following error appears:

hostname in certificate didn't match: <translate.zanata.org> !=
<*.itos.redhat.com>

Expected results:
The command is successfully executed. Or it fails for a business logic related reason.

Additional info:
SSL negotiation is not returning the custom certificate to some clients.

At 2014-05-28T20:26:10+10:00, one of our users was using a Java-based
client to connect to our ITOS instance translate.zanata.org
(openid-zanata1.itos.redhat.com).  It was working, but then it dropped
out with this error message:

hostname in certificate didn't match: <translate.zanata.org> !=
<*.itos.redhat.com>



Right now, if we connect to https://translate.zanata.org/zanata/ in a
web browser, everything is fine with the certificate chain, but if we
use the Java client, or if we use the openssl command line -

</dev/null openssl s_client -connect translate.zanata.org:443 | openssl
x509|grep depth

depth=1 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.",
OU = IS, CN = Red Hat IS CA, emailAddress = sysadmin-rdu
verify return:1
depth=0 C = US, ST = North Carolina, O = "Red Hat, Inc.", OU =
Information Technology, CN = *.itos.redhat.com, emailAddress =
gca
verify return:1
DONE


- the returned certificate only mentions the default *.itos.redhat.com,
with no mention of the hostname in the uploaded certificate:
translate.zanata.org.

We have tried re-uploading the certificate, but nothing changed.
Comment 1 Carlos Munoz 2014-05-29 03:45:06 UTC 
See also:
https://github.com/zanata/zanata-client/pull/23
Comment 2 Sean Flanigan 2014-05-29 03:51:30 UTC 
Note that the openssl does the right thing, if you activate SNI with the option 

    -servername translate.zanata.org

eg

</dev/null openssl s_client -connect translate.zanata.org:443 -servername translate.zanata.org | openssl x509|grep depth



I was able to test on Java 1.6 (even though my default JVM is 1.7) with a command line like this:

JAVACMD=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/bin/java mvn org.zanata:zanata-maven-plugin:3.3.2-SNAPSHOT:stats -Dzanata.url=https://translate.zanata.org/zanata/ -Dzanata.project=test -Dzanata.projectVersion=test -Dzanata.disableSSLCert

The JAVACMD variable forces the use of Java 1.6.
Comment 3 Ding-Yi Chen 2014-05-29 05:21:03 UTC 
VERIFIED with org.zanata:zanata-maven-plugin:3.3.2-SNAPSHOT

https://github.com/zanata/zanata-client/commit/d3b0682220b0e92bad73f10a52ae3baf6a910c71


Notes: This fix only apply for Java-1.7 or higher,
for java-1.6, option -Dzanata.disableSSLCert must be used.