Apache CXF + grails - intermittent error - The https URL hostname does not match the Common Name (CN)

StackOverflow https://stackoverflow.com/questions/23499634

  •  16-07-2023
  •  | 
  •  

Question

I am using the Apache CXF plugin (I have tried both 1.5.6 and 1.6.1) with Grails (2.2.3) to call a web service over SSL.

I am sometimes getting the error "The https URL hostname does not match the Common Name (CN) on the server certificate in the client's truststore. Make sure server certificate is correct, or to disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true."

However, it doesn't always occur. Usually it will work a few times, and then I will start getting the error. I am starting to suspect that the error message does not reflect the actual problem. I have set disableCNCheck to true in Config.groovy, but I still see the same behavior:

cxf {
    client {
        requestClient {
            clientInterface = gov.agency.RequestPortType
            serviceEndpointAddress = "https://agency.gov/service"
            secureSocketProtocol = CxfClientConstants.SSL_PROTOCOL_TLSV1
            tlsClientParameters = [disableCNCheck: true]            
        }
    }
}

Any thoughts?

Here is a snippet of the debug output from the plugin:

2014-05-06 09:32:36,507 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain  - Invoking handleMessage on interceptor org.apache.cxf.interceptor.BareOutInterceptor@464ea113
2014-05-06 09:32:36,507 [http-bio-8080-exec-9] DEBUG http.Headers  - Accept: */*
2014-05-06 09:32:36,507 [http-bio-8080-exec-9] DEBUG http.Headers  - SOAPAction: "tns:ProvideAndRegisterDocumentSet-bRequest"
2014-05-06 09:32:36,507 [http-bio-8080-exec-9] DEBUG http.TrustDecisionUtil  - No Trust Decider for Conduit '{urn:ihe:iti:xdr:async:request:2007}XDRRequest_PortTypePort.http-conduit'. An afirmative Trust Decision is assumed.
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain  - Invoking handleFault on interceptor org.apache.cxf.interceptor.BareOutInterceptor@464ea113
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain  - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor@5fa570da
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain  - Invoking handleFault on interceptor org.apache.cxf.interceptor.StaxOutInterceptor@111ad6e7
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain  - Invoking handleFault on interceptor org.apache.cxf.interceptor.AttachmentOutInterceptor@1de6a407
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain  - Invoking handleFault on interceptor org.apache.cxf.interceptor.LoggingOutInterceptor@15024134
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain  - Invoking handleFault on interceptor org.apache.cxf.interceptor.MessageSenderInterceptor@4706c7b2
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain  - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.SoapPreProtocolOutInterceptor@54310a74
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain  - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.SoapHeaderOutFilterInterceptor@7912e076
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain  - Invoking handleFault on interceptor org.apache.cxf.jaxws.interceptors.WrapperClassOutInterceptor@7ec40b92
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain  - Invoking handleFault on interceptor org.apache.cxf.jaxws.interceptors.SwAOutInterceptor@e209b8c
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain  - Invoking handleFault on interceptor org.apache.cxf.jaxws.interceptors.HolderOutInterceptor@78d3df42
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain  - Invoking handleFault on interceptor org.apache.cxf.ws.policy.PolicyOutInterceptor@295cf1bb
2014-05-06 09:32:36,626 [http-bio-8080-exec-9] WARN  phase.PhaseInterceptorChain  - Interceptor for {urn:ihe:iti:xdr:async:request:2007}XDRRequestPortTypeService#{urn:ihe:iti:xdr:async:request:2007}ProvideAndRegisterDocumentSet-bRequest has thrown exception, unwinding now
Message: The https URL hostname does not match the Common Name (CN) on the server certificate in the client's truststore.  Make sure server certificate is correct, or to disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true.
   Line | Method
->> 101 | writeParts        in org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
|    68 | handleMessage     in org.apache.cxf.interceptor.BareOutInterceptor
|   262 | doIntercept . . . in org.apache.cxf.phase.PhaseInterceptorChain
|   531 | doInvoke          in org.apache.cxf.endpoint.ClientImpl
|   464 | invoke . . . . .  in     ''
|   367 | invoke            in     ''
|   320 | invoke . . . . .  in     ''
|    89 | invokeSync        in org.apache.cxf.frontend.ClientProxy
|   134 | invoke . . . . .  in org.apache.cxf.jaxws.JaxWsClientProxy
|   424 | invoke            in com.grails.cxf.client.WebServiceClientFactoryImpl$WSClientInvocationHandler
Was it helpful?

Solution

After spending some time on this, I discovered that the secureSocketProtocol was not being set correctly. I changed my Config.groovy to fully qualify the constant:

secureSocketProtocol = com.grails.cxf.client.CxfClientConstants.SSL_PROTOCOL_TLSV1

and I am no longer experiencing the issue, so I guess that was the problem all long.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top