Layer 7 API Management

Expand all | Collapse all

Change in Hostname verification from 9.3 to 9.4?

Jump to Best Answer
  • 1.  Change in Hostname verification from 9.3 to 9.4?

    Posted 01-06-2020 06:01 AM
    Hi

    I deployed a new gateway with Version 9.4 CR3 that will replace a gateway with version 9.3 CR1.

    So, I installed the same stuff on the new gateway and ran my test suites against it. I got several tests with the following error:
    Unable to obtain HTTP response from https://[host]:[port]/[URI]: SSL verification failed!

    Therefore I tried some things and noticed that the errors disappear when I set
    io.httpsHostVerify = false

    So, this is not a big surprise, since the certificate name and the hostname are not the same.

    But, on a second thought, I wondered why this works without any problems on the gateway version 9.3 CR1?

    Even when I explicitly add hostname verification on the old gateway (it is also by default true), the SSL connections are working just fine:
    io.httpsHostVerify = true

    Has hostname verification been fixed in any release after 9.3 CR1 or how can this behaviour be explained?

    Thanks
    Stephan



  • 2.  RE: Change in Hostname verification from 9.3 to 9.4?
    Best Answer

    Posted 01-06-2020 08:19 AM
    Hi Stephan,

    It looks like this is one of the bugs addressed in 9.4cr3. It does not appear to have been backported to any 9.3 releases.

    DE416831
    Corrected an issue when a Certificate is trusted and enabled for SSL Outbound, it does not check 
    io.httpsHostVerify cluster property.
    Regards,
    Joe


  • 3.  RE: Change in Hostname verification from 9.3 to 9.4?

    Posted 01-06-2020 09:29 AM
    Edited by Stephan Burkard 01-06-2020 09:30 AM
    Hi Joe

    I found this release note (can be found here), but could not find any details about it. Thanks for confirming my observations.

    So, if anybody encounters the same problem, there are two possible solutions:

    1. Fix either the certificate or the hostname so they match
    2. If you don't need hostname verification: Set the cluster property
      io.httpsHostVerify = false​​