This bug is for tracking zanata-client. +++ This bug was initially created as a clone of Bug #1102465 +++ Description of problem: There is an issue with SSL negotation when connecting the java-based clients to translate.zanata.org The client refuses to connect with an SSLException (detailed below), and no operations are able to run. Version-Release number of selected component (if applicable): Client 3.2.x (although it's possible all versions are affected) How reproducible: Always Steps to Reproduce: 1. Try to run any client (maven or otherwise) command against translate.zanata.org Actual results: The following error appears: hostname in certificate didn't match: <translate.zanata.org> != <*.itos.redhat.com> Expected results: The command is successfully executed. Or it fails for a business logic related reason. Additional info: SSL negotiation is not returning the custom certificate to some clients. At 2014-05-28T20:26:10+10:00, one of our users was using a Java-based client to connect to our ITOS instance translate.zanata.org (openid-zanata1.itos.redhat.com). It was working, but then it dropped out with this error message: hostname in certificate didn't match: <translate.zanata.org> != <*.itos.redhat.com> Right now, if we connect to https://translate.zanata.org/zanata/ in a web browser, everything is fine with the certificate chain, but if we use the Java client, or if we use the openssl command line - </dev/null openssl s_client -connect translate.zanata.org:443 | openssl x509|grep depth depth=1 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = IS, CN = Red Hat IS CA, emailAddress = sysadmin-rdu verify return:1 depth=0 C = US, ST = North Carolina, O = "Red Hat, Inc.", OU = Information Technology, CN = *.itos.redhat.com, emailAddress = gca verify return:1 DONE - the returned certificate only mentions the default *.itos.redhat.com, with no mention of the hostname in the uploaded certificate: translate.zanata.org. We have tried re-uploading the certificate, but nothing changed. --- Additional comment from Carlos Munoz on 2014-05-29 13:45:06 EST --- See also: https://github.com/zanata/zanata-client/pull/23 --- Additional comment from Sean Flanigan on 2014-05-29 13:51:30 EST --- Note that the openssl does the right thing, if you activate SNI with the option -servername translate.zanata.org eg </dev/null openssl s_client -connect translate.zanata.org:443 -servername translate.zanata.org | openssl x509|grep depth I was able to test on Java 1.6 (even though my default JVM is 1.7) with a command line like this: JAVACMD=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/bin/java mvn org.zanata:zanata-maven-plugin:3.3.2-SNAPSHOT:stats -Dzanata.url=https://translate.zanata.org/zanata/ -Dzanata.project=test -Dzanata.projectVersion=test -Dzanata.disableSSLCert The JAVACMD variable forces the use of Java 1.6.
any plans to see an update for this on f20?
Until bug 1103931 is fixed, we cannot push the fix without breaking the package guideline. In the mean time, please use maven plugin instead.
(In reply to Ding-Yi Chen from comment #2) > Until bug 1103931 is fixed, we cannot push the fix without breaking the > package guideline. > > In the mean time, please use maven plugin instead. how? I'm not familiar with it.
We need to back-port the fix for bug 1102465 to F19 and F20. As a potential workaround, https://github.com/zanata/zanata-client-ivy is probably easier to adjust to (for users coming from zanata-client) than the maven plugin.
I think this may be blocked (at least on F20) by bug 1077978.
May also need to backport the disable ssl cert option in F19 (In reply to Sean Flanigan from comment #4) > We need to back-port the fix for bug 1102465 to F19 and F20. > > As a potential workaround, https://github.com/zanata/zanata-client-ivy is > probably easier to adjust to (for users coming from zanata-client) than the > maven plugin.
thanks. zanata-client-ivy works fine on f20 even.
The fix for bug 1102465 has been back-ported to work with httpcomponents-client 4.2 (as found in Fedora 19/20): https://github.com/zanata/zanata-client/pull/28
zanata-client-3.3.2-3.fc20 is in fedora 20 update-testing repo.
zanata-client-2.2.0-4.fc19 is in fedora 19 update-testing repo. http://koji.fedoraproject.org/koji/search?terms=zanata-client-2.2.0-4.fc19&type=build&match=glob
VERIFIED with zanata-client-3.3.2-3.fc20
Tested with zanata-client-2.2.0-4.fc19.noarch zanata-cli -e pull --url https://translate.zanata.org/zanata/ --username <USERNAME> --key <KEY> --project <PRJ> --project-version <VER> -s . -t . --project-type <PRJ_TYPE> --locales <LOCALES> WARN] exception processing request javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:437) at org.zanata.rest.client.ZanataProxyFactory$1.connectSocket(ZanataProxyFactory.java:132) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:109) at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39) at org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40) at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) at org.zanata.rest.client.TraceDebugInterceptor.execute(TraceDebugInterceptor.java:81) at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) at org.zanata.rest.client.ApiKeyHeaderDecorator.execute(ApiKeyHeaderDecorator.java:42) at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) at org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:443) at org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:674) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:110) at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:88) at com.sun.proxy.$Proxy32.get(Unknown Source) at org.zanata.rest.client.ZanataProxyFactory.<init>(ZanataProxyFactory.java:81) at org.zanata.rest.client.ZanataProxyFactory.<init>(ZanataProxyFactory.java:68) at org.zanata.client.commands.OptionsUtil.createRequestFactory(OptionsUtil.java:155) at org.zanata.client.commands.PushPullCommand.<init>(PushPullCommand.java:90) at org.zanata.client.commands.pull.PullCommand.<init>(PullCommand.java:60) at org.zanata.client.commands.pull.PullOptionsImpl.initCommand(PullOptionsImpl.java:60) at org.zanata.client.commands.ArgsUtil.process(ArgsUtil.java:82) at org.zanata.client.ZanataClient.processArgs(ZanataClient.java:150) at org.zanata.client.ZanataClient.main(ZanataClient.java:45) [ERROR] Execution failed: java.lang.RuntimeException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:114) at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:88) at com.sun.proxy.$Proxy32.get(Unknown Source) at org.zanata.rest.client.ZanataProxyFactory.<init>(ZanataProxyFactory.java:81) at org.zanata.rest.client.ZanataProxyFactory.<init>(ZanataProxyFactory.java:68) at org.zanata.client.commands.OptionsUtil.createRequestFactory(OptionsUtil.java:155) at org.zanata.client.commands.PushPullCommand.<init>(PushPullCommand.java:90) at org.zanata.client.commands.pull.PullCommand.<init>(PullCommand.java:60) at org.zanata.client.commands.pull.PullOptionsImpl.initCommand(PullOptionsImpl.java:60) at org.zanata.client.commands.ArgsUtil.process(ArgsUtil.java:82) at org.zanata.client.ZanataClient.processArgs(ZanataClient.java:150) at org.zanata.client.ZanataClient.main(ZanataClient.java:45) Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:437) at org.zanata.rest.client.ZanataProxyFactory$1.connectSocket(ZanataProxyFactory.java:132) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:109) at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39) at org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40) at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) at org.zanata.rest.client.TraceDebugInterceptor.execute(TraceDebugInterceptor.java:81) at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) at org.zanata.rest.client.ApiKeyHeaderDecorator.execute(ApiKeyHeaderDecorator.java:42) at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) at org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:443) at org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:674) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:110) ... 11 more
Are you using Java 1.7? There should have been a warning in the log if you weren't. Java 1.6 can't handle SNI.
works for me in my f19 virtual box.
Turn out my test case triggered Bug 1123204. In terms of this bug, it shoule be verified. BTW, by default, Fedora 19 ship with java-1.7.0-openjdk-1.7.0.65-2.5.1.2.fc19.x86_64
Pushed to stable in f19 and f20