Eureka Client cannot make HTTPS requests to servers that use multiple certificates via SNI

Question

Eureka Client cannot make HTTPS requests to servers that use multiple certificates via SNI

Closed this issue 8 years ago · 0 comments

EurekaJerseyClientImpl uses deprecated, pre HTTPClient 4.3 APIs to create the SSLSocketFactory used in MonitoredConnectionManager [1]. Support for https://en.wikipedia.org/wiki/Server_Name_Indication was introduced in Apache HttpClient 4.3.2 [2]. When using the deprecated APIs, requests to servers that are protected with multiple certificates, which is typical of environments with many applications behind a single load balancer, will fail.

This can be demonstrated by setting the serviceUrl to https://api.google.com/. If the SSL handshake doesn't do SNI properly, the client will get the certificate for www.google.com, and hostname verification will fail with this exception. If SNI succeeds we won't see this exception (but we'll see another Eureka specific exception obviously).

2016-11-15 17:12:33.841 ERROR 65408 --- [nfoReplicator-0] c.n.d.s.t.d.RedirectingEurekaHttpClient  : Request execution error

com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLException: Certificate for <api.google.com> doesn't match any of the subject alternative names: [www.google.com]
	at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:187) ~[jersey-apache-client4-1.19.1.jar:1.19.1]
	at com.sun.jersey.api.client.filter.GZIPContentEncodingFilter.handle(GZIPContentEncodingFilter.java:123) ~[jersey-client-1.19.1.jar:1.19.1]
	at com.netflix.discovery.EurekaIdentityHeaderFilter.handle(EurekaIdentityHeaderFilter.java:27) ~[eureka-client-1.4.11.jar:1.4.11]

...

Caused by: javax.net.ssl.SSLException: Certificate for <api.google.com> doesn't match any of the subject alternative names: [www.google.com]
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:165) ~[httpclient-4.5.2.jar:4.5.2]
	at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:61) ~[httpclient-4.5.2.jar:4.5.2]
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:141) ~[httpclient-4.5.2.jar:4.5.2]
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:114) ~[httpclient-4.5.2.jar:4.5.2]
	at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:580) ~[httpclient-4.5.2.jar:4.5.2]
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554) ~[httpclient-4.5.2.jar:4.5.2]
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412) ~[httpclient-4.5.2.jar:4.5.2]
	at 
...

[1] https://github.com/Netflix/eureka/blob/v1.6.0/eureka-client/src/main/java/com/netflix/discovery/shared/transport/jersey/EurekaJerseyClientImpl.java#L222
[2] https://hc.apache.org/news.html