Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

PSM connecting HTTPS with Wildcard certificate in subject alternative name

Description

The certificate has a subject alternate name (SAN) with a wildcard. Some research shows, it seems there is a specific wildcarded host name verifier required: http://docs.oracle.com/cd/E28280_01/web.1111/e13707/ssl.htm#SECMG573

The error message:

2015-09-19 01:45:45,020 DEBUG [Poller-Thread-26-of-100] o.o.n.p.m.PageSequenceMonitor: I/O Error javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name at sun.security.ssl.ClientHandshaker.handshakeAlert(ClientHandshaker.java:1438) ~[?:1.8.0_60] at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2016) ~[?:1.8.0_60] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) ~[?:1.8.0_60] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_60] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[?:1.8.0_60] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[?:1.8.0_60] at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:275) ~[httpclient-4.3.4.jar:4.3.4] at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:254) ~[httpclient-4.3.4.jar:4.3.4] at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:123) ~[httpclient-4.3.4.jar:4.3.4] at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:318) ~[httpclient-4.3.4.jar:4.3.4] at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363) ~[httpclient-4.3.4.jar:4.3.4] at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219) ~[httpclient-4.3.4.jar:4.3.4] at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195) ~[httpclient-4.3.4.jar:4.3.4] at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86) ~[httpclient-4.3.4.jar:4.3.4] at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108) ~[httpclient-4.3.4.jar:4.3.4] at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) ~[httpclient-4.3.4.jar:4.3.4] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) ~[httpclient-4.3.4.jar:4.3.4] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) ~[httpclient-4.3.4.jar:4.3.4] at org.opennms.core.web.HttpClientWrapper.execute(HttpClientWrapper.java:326) ~[org.opennms.core.web-16.0.3.jar:?] at org.opennms.netmgt.poller.monitors.PageSequenceMonitor$HttpPage.execute(PageSequenceMonitor.java:374) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.monitors.PageSequenceMonitor$HttpPageSequence.execute(PageSequenceMonitor.java:200) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.monitors.PageSequenceMonitor$HttpPageSequence.access$100(PageSequenceMonitor.java:158) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.monitors.PageSequenceMonitor.poll(PageSequenceMonitor.java:678) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.LatencyStoringServiceMonitorAdaptor.poll(LatencyStoringServiceMonitorAdaptor.java:111) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableServiceConfig.poll(PollableServiceConfig.java:113) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableService.poll(PollableService.java:191) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableElement.poll(PollableElement.java:293) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableContainer$5.run(PollableContainer.java:319) [opennms-services-16.0.3.jar:?] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_60] at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:264) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:250) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:228) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableContainer.poll(PollableContainer.java:326) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableInterface.poll(PollableInterface.java:224) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableContainer$5.run(PollableContainer.java:319) [opennms-services-16.0.3.jar:?] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_60] at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:264) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:250) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:228) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableContainer.poll(PollableContainer.java:326) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableNode$3.run(PollableNode.java:331) [opennms-services-16.0.3.jar:?] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_60] at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:264) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:250) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:228) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableNode.doPoll(PollableNode.java:334) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableElement.doPoll(PollableElement.java:184) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableService.doPoll(PollableService.java:226) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableService$PollRunner.run(PollableService.java:63) [opennms-services-16.0.3.jar:?] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_60] at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:264) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:250) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableService.doRun(PollableService.java:413) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.poller.pollables.PollableService.run(PollableService.java:388) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.scheduler.Schedule.run(Schedule.java:142) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.scheduler.Schedule$ScheduleEntry.run(Schedule.java:86) [opennms-services-16.0.3.jar:?] at org.opennms.netmgt.scheduler.LegacyScheduler$1.run(LegacyScheduler.java:209) [opennms-services-16.0.3.jar:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_60] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_60] at org.opennms.core.concurrent.LogPreservingThreadFactory$3.run(LogPreservingThreadFactory.java:124) [opennms-util-16.0.3.jar:?] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_60]

Environment

OpenNMS 16.0.3 java -version java version "1.8.0_60" Java(TM) SE Runtime Environment (build 1.8.0_60-b27) Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)

Acceptance / Success Criteria

None

Attachments

1
  • 18 Sep 2015, 07:56 PM

Lucidchart Diagrams

Activity

Show:

Benjamin Reed June 30, 2016 at 12:56 PM

Would changing this property mean any SSL negotiation we do ignores the server name in certificates? Is that a security risk?

Seth Leger October 6, 2015 at 4:53 PM

Good catch, looks like an issue that would be pretty difficult to debug. Let's look at putting those flags into OpenNMS 18.

Ronny Trommer September 18, 2015 at 8:02 PM

Ronny Trommer September 18, 2015 at 7:56 PM

Screenshot with SSL certificate

Details

Assignee

Reporter

Labels

Components

Affects versions

Priority

PagerDuty

Created September 18, 2015 at 7:51 PM
Updated July 26, 2023 at 2:15 PM

Flag notifications