CWPKI0824E error incorrectly shown for SSL Host Verification check

[apike2000]

Describe the bug
Starting to use OpenLiberty 24.0.0.9 we encountered the new SSL Certificate Host Verification Feature PH58796 when connecting via jdbc to our Db2 server. (https://www.ibm.com/support/pages/hostname-verification-liberty)

Because initiatally the certificate on Db2 did not include the hostname used to connect in the Subject Alternative Names we got an SQL errorcode -4499 and Db2 connections failed.

To correct this we updated the certificate on Db2 with subject alternative names for the hostname used to connect.

After this we were able to connect to and access the database but in the logs we still see CWPKI0824E errors:

CWPKI0824E: SSL HANDSHAKE FAILURE: Host name verification error while connecting to host [9.214.133.254]. The host name used to access the server does not match the server certificate's [Subject Alternative Name [dnsName:db2inst1_g53xr00008047.az13.dal.cpc.ibm.com, dnsName:gphubcl001.cpc.ibm.com, dnsName:g53xr00008047.az13.dal.cpc.ibm.com]]. The extended error message from the SSL handshake exception is: [No subject alternative names matching IP address 9.214.133.254 found]

We are using the hostname gphubcl001.cpc.ibm.com to connect which is listed as one of the Subject Alternative Names in the error.

The fact that we can access the database and no longer see the -4499 SQL Code makes me think Liberty is incorrectly throwing the CWPKI0824E error for a valid hostname.

The last part of the error "[No subject alternative names matching IP address 9.214.133.254 found]" suggests that something is trying to connect to the Db2 server using the IP address rather than the hostname. Our code doesn't do this so the suspicion is that OpenLiberty for some reason is trying to access the Db2 server with the IP address which is throwing the error.

Steps to Reproduce
Configure Db2 with a certificate containing the hostname used to connect in the Subject Alternative Names. In your OpenLiberty code use jdbc to connect using the hostname to the Db2 server

Expected behavior
The CWPKI0824E error should not thrown.

Diagnostic information:

• OpenLiberty Version: 24.0.0.9
• Affected feature(s) ?
• Java Version: java version "1.8.0_421" Java(TM) SE Runtime Environment (build 8.0.8.30 - pxa6480sr8fp30-20240801_01(SR8 FP30)) IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20240703_73934 (JIT enabled, AOT enabled) OpenJ9 - 177ad469d4e OMR - e74814c IBM - 3c87141) JCL - 20240731_02 based on Oracle jdk8u421-b09
• server.xml configuration (WITHOUT sensitive information like passwords)
• If it would be useful, upload the messages.log file found in $WLP_OUTPUT_DIR/messages.log

Additional context
Add any other context about the problem here.

[utle]

Can you turn on the trace for JDBC and SSL, re-create the issue and upload the trace.log and message.log. Thanks. https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-enabling-jdbc-tracing https://www.ibm.com/support/pages/mustgather-ssl-problems-websphere-liberty

[apike2000]

Please find attached a dump of the logs as documented in the MustGather link. There should be instances of the error at 29/10 13:28:40 and 29/10 12:28 defaultServer.dump-24.10.29_13.59.43.zip