Outstanding Contributor.. csaunderson Outstanding Contributor..
Outstanding Contributor..
365 views

SSL certificate oddities

I have gone through the pain of requesting and importing certificates for both my OO centrals and also for my HPSA infrastructure. 

I have also rolled back the java.security changes in my local Studio that were required to work around this in the first place, namely enabled -disableSNIExtension and some verifyName parameters.

What's confusing me now are the following behavior oddities:

1) Local debug connection:

Providing the shortname for the coreHost (eg dev001) results in a success, FQDN (dev001.cert.lab) fails as an unknown_name error, DESPITE the certificate being issued with the CN of the FQDN OR a certificate have a CN of the FQDN and a SAN for the short name.

 

This behavior is persistent whether the certificate for the host is imported into the client.truststore in the .oo directory or not. This behavior is also consistent: short name works, FQDN fails.

 

2) proxied debug connection:

Providing the shortname for the coreHost (eg dev001) results in a success, FQDN (dev001.cert.lab) fails as an unknown_name error, DESPITE the certificate being issued with the CN of the FQDN OR a certificate have a CN of the FQDN and a SAN for the short name.  The central has all the certificates imported for all the HPSA hosts.

This behavior is also consistent: short name works, FQDN fails.

This may be a factor of the HPSA load balancing that may go on in the background, but it's surely quite annoying.

 

Am I seeing behavior that is expected, especially when it comes to the HPSA coreHost side?

 

--Chris

 

Tags (1)
0 Likes
2 Replies
AndreiTruta Outstanding Contributor.
Outstanding Contributor.

Re: SSL certificate oddities

Hi Chris

For the HPSA code behavior part I suggest to open a discussion on the SA forum.

For the OO behavior, we could meet offline if needed.

I need to grab a full picture of the behavior to understand better where from the inconsistencies.

 

Andrei Vasile Truta
0 Likes
Outstanding Contributor.. csaunderson Outstanding Contributor..
Outstanding Contributor..

Re: SSL certificate oddities

Hi Andrei,


Thanks for the response. I've been doing more testing/debugging and as near as I can tell, it's the jsse.enableSNIExtension default that's the problem.   When I explicitly disable that, regardless of the use of FQDN or shortname, the calls succeed. As a side note, I also have ssl.support-self-signed=false  and ssl.verifyHostName=true set, so I'm fairly confident in that SNIExtension being the cause.

 

--Chris

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.