Wednesday, November 18, 2009

Apache Synapse's HTTP Sender

The factory-default HTTPS sender of Apache Synapse is “org.apache.synapse.transport.nhttp.HttpCoreNIOSSLSender”. The "HostnameVerifier" parameter of this transport sender can be used to control how Apache Synapse perform SSL handshaking. The “HostnameVerifier” parameter indicates how the URL's hostname and the server's SSL certificate's hostname should be matched during the SSL handshake. HostnameVerifier can can take one of the following 3 values values.

  • DefaultAndLocalHost
  • Strict
  • AllowAll

DefaultAndLocalHost

If the "HostnameVerifier" value is set to "DefaultAndLocalHost", then the SSL handshake will be successful only if one of the following is satisfied.

  • The hostname must match either the first CN, or any of the subject-alts of the server certificate (same way as Curl and Firefox). A wildcard can occur in the CN, and in any of the subject-alts. The only difference between DEFAULT and STRICT is that a wildcard (such as "*.foo.com") with DEFAULT matches all subdomains, including "a.b.foo.com".
  • A host of "localhost", "localhost.localdomain", "127.0.0.1", "::1" will always pass, no matter what is in the server's certificate.

Strict

If the "HostnameVerifier" value is set to "Strict", then the SSL handshake will be successful when the following criteria is met.

The hostname must match either the first CN, or any of the subject-alts of the server certificate. A wildcard can occur in the CN, and in any of the subject-alts. This will only check the first CN of the certificate similar to Sun Java 1.4. A wildcard such as "*.foo.com" matches only subdomains in the same level, for example "a.foo.com". It does not match deeper subdomains such as "a.b.foo.com".

This works the same way as java.net.URL in Sun Java 1.4, Sun Java 5, Sun Java 6. This implementation appears to be compliant with RFC 2818 for dealing with wildcards.

This functionality is also very close to IE6. The one divergence from IE6 is how it only check the first CN. IE6 allows a match against any of the CNs present.

AllowAll

Setting "HostnameVerifier" to "AllowAll" turns hostname verification off. This implementation is a no-op, and never throws the SSLException.