CWPKI0824E error incorrectly shown for SSL Host Verification check #29819
Assignees
Labels
Acknowledged
An initial response has been provided. Remove the 'Needs member attention' label.
release bug
This bug is present in a released version of Open Liberty
team:Core Security
Comments
apike2000
added
the
release bug
|
Can you turn on the trace for JDBC and SSL, re-create the issue and upload the trace.log and message.log. Thanks. |
Zech-Hein
added
Acknowledged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Starting to use OpenLiberty 24.0.0.9 we encountered the new SSL Certificate Host Verification Feature PH58796 when connecting via jdbc to our Db2 server. (https://www.ibm.com/support/pages/hostname-verification-liberty)
Because initiatally the certificate on Db2 did not include the hostname used to connect in the Subject Alternative Names we got an SQL errorcode -4499 and Db2 connections failed.
To correct this we updated the certificate on Db2 with subject alternative names for the hostname used to connect.
After this we were able to connect to and access the database but in the logs we still see CWPKI0824E errors:
CWPKI0824E: SSL HANDSHAKE FAILURE: Host name verification error while connecting to host [9.214.133.254]. The host name used to access the server does not match the server certificate's [Subject Alternative Name [dnsName:db2inst1_g53xr00008047.az13.dal.cpc.ibm.com, dnsName:gphubcl001.cpc.ibm.com, dnsName:g53xr00008047.az13.dal.cpc.ibm.com]]. The extended error message from the SSL handshake exception is: [No subject alternative names matching IP address 9.214.133.254 found]
We are using the hostname gphubcl001.cpc.ibm.com to connect which is listed as one of the Subject Alternative Names in the error.
The fact that we can access the database and no longer see the -4499 SQL Code makes me think Liberty is incorrectly throwing the CWPKI0824E error for a valid hostname.
The last part of the error "[No subject alternative names matching IP address 9.214.133.254 found]" suggests that something is trying to connect to the Db2 server using the IP address rather than the hostname. Our code doesn't do this so the suspicion is that OpenLiberty for some reason is trying to access the Db2 server with the IP address which is throwing the error.
Steps to Reproduce
Configure Db2 with a certificate containing the hostname used to connect in the Subject Alternative Names.
In your OpenLiberty code use jdbc to connect using the hostname to the Db2 server
Expected behavior
The CWPKI0824E error should not thrown.
Diagnostic information:
java version "1.8.0_421"
Java(TM) SE Runtime Environment (build 8.0.8.30 - pxa6480sr8fp30-20240801_01(SR8 FP30))
IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20240703_73934 (JIT enabled, AOT enabled)
OpenJ9 - 177ad469d4e
OMR - e74814c
IBM - 3c87141)
JCL - 20240731_02 based on Oracle jdk8u421-b09
$WLP_OUTPUT_DIR/messages.logAdditional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: