hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (HTTPCLIENT-1884) javax.net.ssl.SSLPeerUnverifiedException: Host name 'www.googleapis.com' does not match the certificate subject provided by the peer
Date Mon, 27 Nov 2017 11:44:00 GMT

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1884?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Oleg Kalnichevski resolved HTTPCLIENT-1884.
-------------------------------------------
    Resolution: Invalid

Works just fine here
{code:java}
CloseableHttpClient client = HttpClientBuilder.create()
        .build();
HttpGet httpGet = new HttpGet("https://www.googleapis.com/oauth2/v2/userinfo");
CloseableHttpResponse response1 = client.execute(httpGet);
try {
    System.out.println(response1.getStatusLine());
    EntityUtils.consume(response1.getEntity());
} finally {
    response1.close();
}
{code}

{noformat}
[DEBUG] RequestAddCookies - CookieSpec selected: default
[DEBUG] RequestAuthCache - Auth cache not set in the context
[DEBUG] PoolingHttpClientConnectionManager - Connection request: [route: {s}->https://www.googleapis.com:443][total
kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
[DEBUG] PoolingHttpClientConnectionManager - Connection leased: [id: 0][route: {s}->https://www.googleapis.com:443][total
kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
[DEBUG] MainClientExec - Opening connection {s}->https://www.googleapis.com:443
[DEBUG] DefaultHttpClientConnectionOperator - Connecting to www.googleapis.com/216.58.205.106:443
[DEBUG] SSLConnectionSocketFactory - Connecting socket to www.googleapis.com/216.58.205.106:443
with timeout 0
[DEBUG] SSLConnectionSocketFactory - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
[DEBUG] SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
[DEBUG] SSLConnectionSocketFactory - Starting handshake
[DEBUG] SSLConnectionSocketFactory - Secure session established
[DEBUG] SSLConnectionSocketFactory -  negotiated protocol: TLSv1.2
[DEBUG] SSLConnectionSocketFactory -  negotiated cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[DEBUG] SSLConnectionSocketFactory -  peer principal: CN=*.googleapis.com, O=Google Inc, L=Mountain
View, ST=California, C=US
[DEBUG] SSLConnectionSocketFactory -  peer alternative names: [*.googleapis.com, *.clients6.google.com,
*.cloudendpointsapis.com, cloudendpointsapis.com, googleapis.com]
[DEBUG] SSLConnectionSocketFactory -  issuer principal: CN=Google Internet Authority G2, O=Google
Inc, C=US
[DEBUG] DefaultHttpClientConnectionOperator - Connection established 192.168.43.64:58924<->216.58.205.106:443
[DEBUG] MainClientExec - Executing request GET /oauth2/v2/userinfo HTTP/1.1
[DEBUG] MainClientExec - Target auth state: UNCHALLENGED
[DEBUG] MainClientExec - Proxy auth state: UNCHALLENGED
[DEBUG] headers - http-outgoing-0 >> GET /oauth2/v2/userinfo HTTP/1.1
[DEBUG] headers - http-outgoing-0 >> Host: www.googleapis.com
[DEBUG] headers - http-outgoing-0 >> Connection: Keep-Alive
[DEBUG] headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_121)
[DEBUG] headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate
[DEBUG] headers - http-outgoing-0 << HTTP/1.1 401 Unauthorized
[DEBUG] headers - http-outgoing-0 << Vary: Origin
[DEBUG] headers - http-outgoing-0 << Vary: X-Origin
[DEBUG] headers - http-outgoing-0 << WWW-Authenticate: Bearer realm="https://accounts.google.com/"
[DEBUG] headers - http-outgoing-0 << Content-Type: application/json; charset=UTF-8
[DEBUG] headers - http-outgoing-0 << Content-Encoding: gzip
[DEBUG] headers - http-outgoing-0 << Date: Mon, 27 Nov 2017 11:41:34 GMT
[DEBUG] headers - http-outgoing-0 << Expires: Mon, 27 Nov 2017 11:41:34 GMT
[DEBUG] headers - http-outgoing-0 << Cache-Control: private, max-age=0
[DEBUG] headers - http-outgoing-0 << X-Content-Type-Options: nosniff
[DEBUG] headers - http-outgoing-0 << X-Frame-Options: SAMEORIGIN
[DEBUG] headers - http-outgoing-0 << X-XSS-Protection: 1; mode=block
[DEBUG] headers - http-outgoing-0 << Server: GSE
[DEBUG] headers - http-outgoing-0 << Alt-Svc: hq=":443"; ma=2592000; quic=51303431;
quic=51303339; quic=51303338; quic=51303337; quic=51303335,quic=":443"; ma=2592000; v="41,39,38,37,35"
[DEBUG] headers - http-outgoing-0 << Transfer-Encoding: chunked
[DEBUG] MainClientExec - Connection can be kept alive indefinitely
[DEBUG] HttpAuthenticator - Authentication required
[DEBUG] HttpAuthenticator - www.googleapis.com:443 requested authentication
[DEBUG] TargetAuthenticationStrategy - Authentication schemes in the order of preference:
[Negotiate, Kerberos, NTLM, Digest, Basic]
[DEBUG] TargetAuthenticationStrategy - Challenge for Negotiate authentication scheme not available
[DEBUG] TargetAuthenticationStrategy - Challenge for Kerberos authentication scheme not available
[DEBUG] TargetAuthenticationStrategy - Challenge for NTLM authentication scheme not available
[DEBUG] TargetAuthenticationStrategy - Challenge for Digest authentication scheme not available
[DEBUG] TargetAuthenticationStrategy - Challenge for Basic authentication scheme not available
{noformat}

> javax.net.ssl.SSLPeerUnverifiedException: Host name 'www.googleapis.com' does not match
the certificate subject provided by the peer
> ------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1884
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1884
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (async)
>    Affects Versions: 4.5.3
>         Environment: Ubuntu server 14.04
> Open JDK 1.8.0_111
>            Reporter: Yosep Stephen
>            Priority: Blocker
>              Labels: SSLPeerUnverifiedException
>
> Im using spring-social-google library:
> {code}
> <dependency>
>     <groupId>com.github.spring-social</groupId>
>     <artifactId>spring-social-google</artifactId>
>     <version>1.1.3</version>
> </dependency>
> {code}
> When i the authentication using google succeed, it try to fetch user profile info, but
it always error with SSL related problems. I saw a closed issue which may related:
> https://issues.apache.org/jira/browse/HTTPCLIENT-1613
> But i have tried to switch to 4.3.6, but the issue still occured, and it says fixed on
4.5, so Im back with 4.5.3 with no luck.
> Here are the stack traces:
> {code}
> 2017-11-27 10:38:55,885 NUC - DEBUG (org.springframework.social.security.SocialAuthenticationFilter:205)
- Request is to process authentication
> 2017-11-27 10:38:58,379 NUC - DEBUG (org.springframework.social.google.security.GoogleAuthenticationService:103)
- failed to exchange for access
> org.springframework.web.client.ResourceAccessException: I/O error on GET request for
"https://www.googleapis.com/oauth2/v2/userinfo": Host name 'www.googleapis.com' does not match
the certificate subject provided by the peer (CN=*.googleapis.com, O=Google Inc, L=Mountain
View, ST=California, C=US); nested exception is javax.net.ssl.SSLPeerUnverifiedException:
Host name 'www.googleapis.com' does not match the certificate subject provided by the peer
(CN=*.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US)
> 	at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:666)
> 	at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613)
> 	at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:287)
> 	at org.springframework.social.google.api.impl.AbstractGoogleApiOperations.getEntity(AbstractGoogleApiOperations.java:70)
> 	at org.springframework.social.google.api.oauth2.impl.OAuth2Template.getUserinfo(OAuth2Template.java:33)
> 	at org.springframework.social.google.connect.GoogleAdapter.fetchUserProfile(GoogleAdapter.java:59)
> 	at org.springframework.social.google.connect.GoogleAdapter.fetchUserProfile(GoogleAdapter.java:31)
> 	at org.springframework.social.google.connect.GoogleConnectionFactory.extractProviderUserId(GoogleConnectionFactory.java:38)
> 	at org.springframework.social.connect.support.OAuth2ConnectionFactory.createConnection(OAuth2ConnectionFactory.java:93)
> 	at org.springframework.social.security.provider.OAuth2AuthenticationService.getAuthToken(OAuth2AuthenticationService.java:100)
> 	at org.springframework.social.security.SocialAuthenticationFilter.attemptAuthService(SocialAuthenticationFilter.java:266)
> 	at org.springframework.social.security.SocialAuthenticationFilter.attemptAuthentication(SocialAuthenticationFilter.java:173)
> 	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
> 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> 	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> 	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
> 	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
> 	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:230)
> 	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:202)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
> 	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
> 	at org.terracotta.modules.tomcat.tomcat_7_0.SessionValve70.tcInvoke(SessionValve70.java:97)
> 	at org.terracotta.modules.tomcat.tomcat_7_0.SessionValve70.invoke(SessionValve70.java:82)
> 	at org.terracotta.session.ModernTomcatSessionValve.invoke(ModernTomcatSessionValve.java:66)
> 	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
> 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
> 	at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:872)
> 	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
> 	at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2508)
> 	at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2497)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> 	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> 	at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'www.googleapis.com' does
not match the certificate subject provided by the peer (CN=*.googleapis.com, O=Google Inc,
L=Mountain View, ST=California, C=US)
> 	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465)
> 	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395)
> 	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
> 	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
> 	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> 	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
> 	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> 	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
> 	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
> 	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> 	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
> 	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> 	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
> 	at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:89)
> 	at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
> 	at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
> 	at org.springframework.http.client.InterceptingClientHttpRequest$InterceptingRequestExecution.execute(InterceptingClientHttpRequest.java:99)
> 	at org.springframework.social.oauth2.OAuth2TokenParameterRequestInterceptor.intercept(OAuth2TokenParameterRequestInterceptor.java:57)
> 	at org.springframework.http.client.InterceptingClientHttpRequest$InterceptingRequestExecution.execute(InterceptingClientHttpRequest.java:86)
> 	at org.springframework.http.client.InterceptingClientHttpRequest.executeInternal(InterceptingClientHttpRequest.java:70)
> 	at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
> 	at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
> 	at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:652)
> 	... 49 more
> 2017-11-27 10:38:58,385 NUC - DEBUG (org.springframework.social.security.SocialAuthenticationFilter:348)
- Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException:
authentication failed
> 2017-11-27 10:38:58,386 NUC - DEBUG (org.springframework.social.security.SocialAuthenticationFilter:349)
- Updated SecurityContextHolder to contain null Authentication
> 2017-11-27 10:38:58,386 NUC - DEBUG (org.springframework.social.security.SocialAuthenticationFilter:350)
- Delegating to authentication failure handler org.springframework.social.security.SocialAuthenticationFailureHandler@1c378e37
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message