[ https://issues.apache.org/jira/browse/CMIS-1007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15826106#comment-15826106 ] Chris Turchin commented on CMIS-1007: ------------------------------------- Hi [~fmuller] Thanks for your feedback - it would seem you solved this for me! FTFA: {quote} The simplest solution, and it's recommended as it closes many other security vulnerabilities, is to upgrade to Java JDK/JRE 8U101 or later (and ideally later, as of writing, it's version 8U111). There is also Java 7 update, 7U111 which also has the certificates needed but that's only for Oracle clients on support contracts. {quote} This would seem to be incorrect. I am using an Oracle JDK with the version {noformat} C:\tmp>java -version java version "1.8.0_102" Java(TM) SE Runtime Environment (build 1.8.0_102-b14) Java HotSpot(TM) 64-Bit Server VM (build 25.102-b14, mixed mode) {noformat} Which I would have assumed hat the new certificated installed, but this would seem not to be true. After installing the certificate, I was able to connect (and authenticate)! > Server name indication support for cmis-workbench > ------------------------------------------------- > > Key: CMIS-1007 > URL: https://issues.apache.org/jira/browse/CMIS-1007 > Project: Chemistry > Issue Type: Improvement > Components: opencmis-workbench > Affects Versions: OpenCMIS 1.0.0 > Environment: Windows 8.1 > Reporter: Chris Turchin > Labels: features, security > > I have recently started using letsencrypt as a certificate authority for my development servers. > Unfortunately, I get the following error when trying to login to my cmis server using the latest version of cmis-workbench: > {code} > > 18:17:48 ERROR hemistry.opencmis.workbench.ClientHelper: CmisPermissionDeniedException: Forbidden > org.apache.chemistry.opencmis.commons.exceptions.CmisPermissionDeniedException: Forbidden > at org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.convertStatusCode(AbstractAtomPubService.java:497) > at org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.read(AbstractAtomPubService.java:701) > at org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.getRepositoriesInternal(AbstractAtomPubService.java:873) > at org.apache.chemistry.opencmis.client.bindings.spi.atompub.RepositoryServiceImpl.getRepositoryInfos(RepositoryServiceImpl.java:66) > at org.apache.chemistry.opencmis.client.bindings.impl.RepositoryServiceImpl.getRepositoryInfos(RepositoryServiceImpl.java:92) > at org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.getRepositories(SessionFactoryImpl.java:120) > at org.apache.chemistry.opencmis.workbench.model.ClientSession.connect(ClientSession.java:243) > at org.apache.chemistry.opencmis.workbench.model.ClientSession.(ClientSession.java:124) > at org.apache.chemistry.opencmis.workbench.LoginDialog.createClientSession(LoginDialog.java:302) > at org.apache.chemistry.opencmis.workbench.LoginDialog$1.actionPerformed(LoginDialog.java:123) > at javax.swing.AbstractButton.fireActionPerformed(Unknown Source) > at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source) > at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source) > at javax.swing.DefaultButtonModel.setPressed(Unknown Source) > at javax.swing.AbstractButton.doClick(Unknown Source) > at javax.swing.plaf.basic.BasicRootPaneUI$Actions.actionPerformed(Unknown Source) > at javax.swing.SwingUtilities.notifyAction(Unknown Source) > at javax.swing.JComponent.processKeyBinding(Unknown Source) > at javax.swing.KeyboardManager.fireBinding(Unknown Source) > at javax.swing.KeyboardManager.fireKeyboardAction(Unknown Source) > at javax.swing.JComponent.processKeyBindingsForAllComponents(Unknown Source) > at javax.swing.JComponent.processKeyBindings(Unknown Source) > at javax.swing.JComponent.processKeyEvent(Unknown Source) > at java.awt.Component.processEvent(Unknown Source) > at java.awt.Container.processEvent(Unknown Source) > at java.awt.Component.dispatchEventImpl(Unknown Source) > at java.awt.Container.dispatchEventImpl(Unknown Source) > at java.awt.Component.dispatchEvent(Unknown Source) > at java.awt.KeyboardFocusManager.redispatchEvent(Unknown Source) > at java.awt.DefaultKeyboardFocusManager.dispatchKeyEvent(Unknown Source) > at java.awt.DefaultKeyboardFocusManager.preDispatchKeyEvent(Unknown Source) > at java.awt.DefaultKeyboardFocusManager.typeAheadAssertions(Unknown Source) > at java.awt.DefaultKeyboardFocusManager.dispatchEvent(Unknown Source) > at java.awt.Component.dispatchEventImpl(Unknown Source) > at java.awt.Container.dispatchEventImpl(Unknown Source) > at java.awt.Window.dispatchEventImpl(Unknown Source) > at java.awt.Component.dispatchEvent(Unknown Source) > at java.awt.EventQueue.dispatchEventImpl(Unknown Source) > at java.awt.EventQueue.access$500(Unknown Source) > at java.awt.EventQueue$3.run(Unknown Source) > at java.awt.EventQueue$3.run(Unknown Source) > at java.security.AccessController.doPrivileged(Native Method) > at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) > at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) > at java.awt.EventQueue$4.run(Unknown Source) > at java.awt.EventQueue$4.run(Unknown Source) > at java.security.AccessController.doPrivileged(Native Method) > at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) > at java.awt.EventQueue.dispatchEvent(Unknown Source)> 18:17:48 ERROR hemistry.opencmis.workbench.ClientHelper: Error code: 0 > > 18:17:48 ERROR hemistry.opencmis.workbench.ClientHelper: Error content: > > 403 Forbidden > >

Forbidden

>

You don't have permission to access /mc/cmis/atom > on this server.
> Reason: The client software did not provide a hostname using Server Name Indication (SNI), which is required to access this server.
>

> > {code} > The certificate is on the reverse proxy, running Apache/2.4.18 (Ubuntu) and looks basically like this: > {code} > > ServerName somehost.somedomain > SSLEngine On > SSLCertificateFile /var/letsencrypt/somehost.somedomain/signed.crt > SSLCertificateKeyFile /var/letsencrypt/somehost.somedomain/domain.key > SSLCACertificateFile /var/letsencrypt/somehost.somedomain/intermediate.pem > SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 > SSLOpenSSLConfCmd DHParameters "/usr/local/apache2/1024dhparams.pem" > SSLProxyEngine on > ProxyPass / http://localhost:8379/ timeout=600 > ProxyPassReverse / http://localhost:8379/ timeout=600 > ProxyPreserveHost On > Header set Access-Control-Allow-Origin "*" > Header set Access-Control-Allow-Credentials "true" > Header edit Location ^http(\:\/\/.*)$ https$1 > > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)