OpenLiberty / open-liberty

Open Liberty is a highly composable, fast to start, dynamic application server runtime environment
https://openliberty.io
Eclipse Public License 2.0
1.15k stars 592 forks source link

CWPKI0824E error incorrectly shown for SSL Host Verification check #29819

Open apike2000 opened 2 weeks ago

apike2000 commented 2 weeks ago

Describe the bug
Starting to use OpenLiberty 24.0.0.9 we encountered the new SSL Certificate Host Verification Feature PH58796 when connecting via jdbc to our Db2 server. (https://www.ibm.com/support/pages/hostname-verification-liberty)

Because initiatally the certificate on Db2 did not include the hostname used to connect in the Subject Alternative Names we got an SQL errorcode -4499 and Db2 connections failed.

To correct this we updated the certificate on Db2 with subject alternative names for the hostname used to connect.

After this we were able to connect to and access the database but in the logs we still see CWPKI0824E errors:

CWPKI0824E: SSL HANDSHAKE FAILURE: Host name verification error while connecting to host [9.214.133.254]. The host name used to access the server does not match the server certificate's [Subject Alternative Name [dnsName:db2inst1_g53xr00008047.az13.dal.cpc.ibm.com, dnsName:gphubcl001.cpc.ibm.com, dnsName:g53xr00008047.az13.dal.cpc.ibm.com]]. The extended error message from the SSL handshake exception is: [No subject alternative names matching IP address 9.214.133.254 found]

We are using the hostname gphubcl001.cpc.ibm.com to connect which is listed as one of the Subject Alternative Names in the error.

The fact that we can access the database and no longer see the -4499 SQL Code makes me think Liberty is incorrectly throwing the CWPKI0824E error for a valid hostname.

The last part of the error "[No subject alternative names matching IP address 9.214.133.254 found]" suggests that something is trying to connect to the Db2 server using the IP address rather than the hostname. Our code doesn't do this so the suspicion is that OpenLiberty for some reason is trying to access the Db2 server with the IP address which is throwing the error.

Steps to Reproduce
Configure Db2 with a certificate containing the hostname used to connect in the Subject Alternative Names. In your OpenLiberty code use jdbc to connect using the hostname to the Db2 server

Expected behavior
The CWPKI0824E error should not thrown.

Diagnostic information:

Additional context
Add any other context about the problem here.

utle commented 2 weeks ago

Can you turn on the trace for JDBC and SSL, re-create the issue and upload the trace.log and message.log. Thanks. https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-enabling-jdbc-tracing https://www.ibm.com/support/pages/mustgather-ssl-problems-websphere-liberty

apike2000 commented 1 day ago

Please find attached a dump of the logs as documented in the MustGather link. There should be instances of the error at 29/10 13:28:40 and 29/10 12:28 defaultServer.dump-24.10.29_13.59.43.zip