java.io.IOException: HTTPS hostname wrong

Scott Battaglia scott.battaglia at gmail.com
Wed Sep 12 14:36:07 EDT 2007 

Ross,

You have sparked my memory.  There was a bug in Tomcat 5.5.16 where they
started returning "" instead of null.  I believe they fixed it in 5.517 or
higher.

-Scott

On 9/12/07, Ross Bleakney <rossbleakney at hotmail.com> wrote:
>
> Yes, thanks, I noticed that and I think I figured out why that is so.
> The short answer is, bad tomcat. Here is the long answer: My web.xml
> contains:
>
> <init-param>
>    <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
>    <param-value>localhost:8080</param-value>
> </init-param>
>
> The service is set within edu/yale/its/tp/cas/client/Util.getService()
> when the filter is called. Inside there, the server comes in as
> "localhost:8080". Right before being encoded, the return buffer gets set
> to "http://localhost:8080/casSample/index.html?" (I added a bunch of log
> statements). The trailing "?" is added because of the block:
>
>    if (request.getQueryString() != null) {
>
> is true. It is true, even though the query string is empty and the url
> contains no "?" (bad tomcat -- I confirmed this behavior by writing a
> little servlet -- tomcat returns an empty string even if there is no "?"
> or nothing after the "?"). When Util.getService sees that ticketLoc is
> null, the query string is appended wholesale (to quote the comments).
> The problem is, the query string is an empty string, so I get
> "http://localhost:8080/casSample/index.html?" (before it is encoded).
>
> I'm using Tomcat 5.5.16. I'll see if there a different version of tomcat
> that doesn't have this problem. I'll post an update when I find a better
> tomcat. I think I'll post this whole message over again on a different
> thread, since it significantly different than my original problem (which
> was caused by a bit of miscommunication and solved by looking at the
> certificate).
>
> Thanks everyone.
> Ross
>
>
> Scott Battaglia wrote:
> >Ross,
> >
> >There is an inconsistency in the service url provided at login time and
> at
> >validation time:
> >
> >The original service was
> >' http://localhost:8080/casSample/index.html?' and the supplied service
> was
> >'http://localhost:8080/casSample/index.html
> ><http://localhost:8080/casSample/index.html>'.
> >
> >You appear to have an extra "?".
> >
> >-Scott
> >
> >On 9/12/07, *Ross Bleakney* <rossbleakney at hotmail.com
> ><mailto:rossbleakney at hotmail.com>> wrote:
> >
> >     Excellent. That did point out my problem. The certificate says
> >     " gammel1.devqa.sersol.il.pqe" but I was using "gammel1.devqa". So,
> I
> >     changed my filter to use "gammel1.devqa.sersol.il.pqe", but now I
> >     get a
> >     different error:
> >
> >     javax.servlet.ServletException : Unable to validate
> >     ProxyTicketValidator
> >     [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
> >     [edu.yale.its.tp.cas.client.ServiceTicketValidator
> >     casValidateUrl=[
> >     https://gammel1.devqa.sersol.il.pqe:8443/cas/serviceValidate]
> >     ticket=[ST-7-iAwfbTJdvxggYhbfQSSkeFi2YZmbJkaFMM9-20]
> >     service=[http%3A%2F%2Flocalhost%3A8080%2FcasSample%2Findex.html]
> >     errorCode=[INVALID_SERVICE] errorMessage=[ticket
> >     'ST-7-iAwfbTJdvxggYhbfQSSkeFi2YZmbJkaFMM9-20' does not match
> supplied
> >     service. The original service was
> >     'http://localhost:8080/casSample/index.html
> >     <http://localhost:8080/casSample/index.html>?' and the supplied
> >     service was
> >     'http://localhost:8080/casSample/index.html'.
> >     <http://localhost:8080/casSample/index.html%27.>] renew=false
> >     entireResponse=[<cas:serviceResponse xmlns:cas='
> >     http://www.yale.edu/tp/cas' <http://www.yale.edu/tp/cas%27>>
> >     <cas:authenticationFailure code='INVALID_SERVICE'>
> >     ticket 'ST-7-iAwfbTJdvxggYhbfQSSkeFi2YZmbJkaFMM9-20' does not match
> >     supplied service. The original service was
> >     'http://localhost:8080/casSample/index.html?' and the supplied
> >     service was
> >     ' http://localhost:8080/casSample/index.html'.
> >     </cas:authenticationFailure>
> >     </cas:serviceResponse>
> >
> >
> >     Any ideas?
> >     Thanks,
> >     Ross
> >
> >     Andrew Petro wrote:
> >     > > Is there a way to check this?
> >     >
> >     >Yes. View something served by that machine over https:// in your
> web
> >     >browser and use its SSL certificate inspection features (typically
> >     >available by clicking the "lock icon").
> >     >
> >     >
> >     >
> >     >
> >     >RossBleakney wrote:
> >     >>I believe it was "gammel1.devqa" (if I understand how this is
> >     set). I
> >     >>don't know a lot about SSL, so I asked one of our admin guys
> >     (who has a
> >     >>lot more experience setting up SSL) to configure that server. I
> >     >>specifically asked him what he answered when prompted for first
> >     name, last
> >     >>name, etc. and he said "gammel1.devqa". Is there a way to check
> >     this? I am
> >     >>at home now, so I can't access the code (or the two machines) so
> >     I'll
> >     >>probably bug the list again tomorrow. But if you know of
> >     something to try
> >     >>in the morning, I very much appreciate it.
> >     >>Thanks,
> >     >>Ross
> >     >>
> >     >> ----- Original Message -----
> >     >> *From:* Scott Battaglia <mailto:scott.battaglia at gmail.com
> >     <mailto:scott.battaglia at gmail.com>>
> >     >> *To:* Yale CAS mailing list <mailto:cas at tp.its.yale.edu
> >     <mailto:cas at tp.its.yale.edu>>
> >     >> *Sent:* Tuesday, September 11, 2007 7:56 PM
> >     >> *Subject:* Re: java.io.IOException : HTTPS hostname wrong
> >     >>
> >     >> Ross,
> >     >>
> >     >> When you created your certificates via the keytool, what did you
> >     >> choose as the CN?
> >     >>
> >     >> -Scott
> >     >>
> >     >> <snip>
> >     >>
> >
> >
> >>------------------------------------------------------------------------
> >     >>
> >     >>_______________________________________________
> >     >>Yale CAS mailing list
> >     >>cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
> >     >>http://tp.its.yale.edu/mailman/listinfo/cas
> >     >>
> >     >
> >
> >
> >------------------------------------------------------------------------
> >
> >     >
> >     >_______________________________________________
> >     >Yale CAS mailing list
> >     >cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
> >     > http://tp.its.yale.edu/mailman/listinfo/cas
> >     >
> >
> >     _________________________________________________________________
> >     Can you find the hidden words? Take a break and play Seekadoo!
> >     http://club.live.com/seekadoo.aspx?icid=seek_hotmailtextlink1
> >
> >
> >     _______________________________________________
> >     Yale CAS mailing list
> >     cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
> >     http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
> >
> >--
> >-Scott Battaglia
> >
> >LinkedIn: http://www.linkedin.com/in/scottbattaglia
> ><http://www.linkedin.com/in/scottbattaglia>
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >Yale CAS mailing list
> >cas at tp.its.yale.edu
> >http://tp.its.yale.edu/mailman/listinfo/cas
> >
>
> _________________________________________________________________
> Get a FREE small business Web site and more from Microsoft(r) Office Live!
> http://clk.atdmt.com/MRT/go/aub0930003811mrt/direct/01/
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>


-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070912/588776c1/attachment.html

More information about the cas mailing list