Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discovery reports Certificate for <domain> doesn't match any of the subject alternative names #1805

Closed
jackjia-ibm opened this issue Sep 27, 2021 · 6 comments
Closed

Discovery reports Certificate for <domain> doesn't match any of the subject alternative names #1805

jackjia-ibm opened this issue Sep 27, 2021 · 6 comments
Assignees
@jandadav
Labels
bug Verified defect in functionality clarification Issue is being clarified in the discussion with the creator of the issue

Comments

@jackjia-ibm
Copy link
Member

Describe the bug

After Discovery is started in Kubernetes, a lot of errors repeated showing in pod log:

2021-09-27 14:07:10.968 <ZWEADS1:TaskBatchingWorker-target_discovery-0.discovery-service.zowe.svc.cluster.local-2:740> zowe DEBUG (o.a.h.c.s.DefaultHostnameVerifier) Certificate for <discovery-0.discovery-service.zowe.svc.cluster.local> doesn't match any of the subject alternative names: [localhost, localhost.localdomain, 127.0.0.1, *.zowe.pod.cluster.local, *.zowe.svc.cluster.local]
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <discovery-0.discovery-service.zowe.svc.cluster.local> doesn't match any of the subject alternative names: [localhost, localhost.localdomain, 127.0.0.1, *.zowe.pod.cluster.local, *.zowe.svc.cluster.local]
	at org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:177)
	at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:122)
	at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:99)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:503)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
	at com.netflix.discovery.shared.transport.jersey.SSLSocketFactoryAdapter.connectSocket(SSLSocketFactoryAdapter.java:59)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:415)
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)
	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440)
	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:118)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
	at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:173)
	at com.netflix.eureka.cluster.DynamicGZIPContentEncodingFilter.handle(DynamicGZIPContentEncodingFilter.java:48)
	at com.netflix.discovery.EurekaIdentityHeaderFilter.handle(EurekaIdentityHeaderFilter.java:27)
	at com.sun.jersey.api.client.Client.handle(Client.java:652)
	at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682)
	at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
	at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:570)
	at com.netflix.eureka.transport.JerseyReplicationClient.submitBatchUpdates(JerseyReplicationClient.java:117)
	at com.netflix.eureka.cluster.ReplicationTaskProcessor.process(ReplicationTaskProcessor.java:80)
	at com.netflix.eureka.util.batcher.TaskExecutors$BatchWorkerRunnable.run(TaskExecutors.java:190)
	at java.lang.Thread.run(Thread.java:748)
2021-09-27 14:07:10.978 <ZWEADS1:TaskBatchingWorker-target_discovery-0.discovery-service.zowe.svc.cluster.local-2:740> zowe DEBUG (o.a.h.i.c.DefaultClientConnection) Connection org.apache.http.impl.conn.DefaultClientConnection@3d56dceb closed

This error message is always showing even APIML_DEBUG_MODE_ENABLED, ZOWE_APIM_VERIFY_CERTIFICATES, and ZOWE_APIM_NONSTRICT_VERIFY_CERTIFICATES are all false.

While using same keystore/truststore and validate against certificate-analyser.jar,

  • if we test against https://localhost:7553/eureka/apps, the handshake will be successful.
  • if we test against https://discovery-0.discovery-service.zowe.svc.cluster.local:7553/eureka/apps, the handshake will fail.

In /etc/hosts, we point discovery-0.discovery-service.zowe.svc.cluster.local to 127.0.0.1, so it's same as localhost.

Steps to Reproduce

  1. Apply kubernetes workload with zowe-install-packaging staging branch, commit hash 16c9219e768436c70f5e14c09decff5522190da3.
  2. add 127.0.0.1 discovery-0.discovery-service.zowe.svc.cluster.local to /etc/hosts

Expected behavior

Certificate should be accepted.

Logs

tiefengjia:~/playground/certificate-analyser$ java -Djavax.net.debug=ssl:handshake:verbose -jar certificate-analyser.jar --truststore keystore/truststore.p12 --keystore keystore/keystore.p12 --keypasswd password --keyalias localhost --trustpasswd password --remoteurl https://discovery-0.discovery-service.zowe.svc.cluster.local:7553/eureka/apps
adding as trusted cert:
  Subject: CN=APIML External Certificate Authority, OU=MFD, O=Broadcom, L=Prague, ST=Prague, C=CZ
  Issuer:  CN=APIML External Certificate Authority, OU=MFD, O=Broadcom, L=Prague, ST=Prague, C=CZ
  Algorithm: RSA; Serial number: 0x161a49767f1d3cb3a3f4590f3f63c89337f044bc
  Valid from Fri Aug 21 06:01:23 EDT 2020 until Thu May 18 06:01:23 EDT 2023

adding as trusted cert:
  Subject: CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ
  Issuer:  CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ
  Algorithm: RSA; Serial number: 0x1f22a796
  Valid from Mon Sep 27 11:43:51 EDT 2021 until Thu Sep 25 11:43:51 EDT 2031

adding as trusted cert:
  Subject: CN=z/OSMF CertAuth for Security Domain, OU=IZUDFLT
  Issuer:  CN=z/OSMF CertAuth for Security Domain, OU=IZUDFLT
  Algorithm: RSA; Serial number: 0x0
  Valid from Fri Sep 25 01:00:00 EDT 2015 until Thu May 18 00:59:59 EDT 2023

adding as trusted cert:
  Subject: CN=" S0W1.DAL-EBIS.IHOST.COM", OU=IZUDFLT, O=IBM
  Issuer:  CN=z/OSMF CertAuth for Security Domain, OU=IZUDFLT
  Algorithm: RSA; Serial number: 0x1
  Valid from Fri Sep 25 01:00:00 EDT 2015 until Thu May 18 00:59:59 EDT 2023

System property jdk.tls.client.cipherSuites is set to 'null'
System property jdk.tls.server.cipherSuites is set to 'null'
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_RSA_WITH_NULL_SHA256
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
Ignoring disabled cipher suite: SSL_RSA_WITH_NULL_MD5
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
trigger seeding of SecureRandom
done seeding SecureRandom
Start of the remote SSL handshake.
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(5000) called
main, the previous server name in SNI (type=host_name (0), value=discovery-0.discovery-service.zowe.svc.cluster.local) was replaced with (type=host_name (0), value=discovery-0.discovery-service.zowe.svc.cluster.local)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1632767188 bytes = { 235, 237, 183, 250, 127, 107, 164, 149, 23, 48, 91, 56, 100, 250, 192, 41, 74, 137, 115, 112, 105, 234, 33, 232, 94, 78, 141, 168 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=discovery-0.discovery-service.zowe.svc.cluster.local]
***
main, WRITE: TLSv1.2 Handshake, length = 246
main, READ: TLSv1.2 Handshake, length = 3254
check handshake state: server_hello[2]
*** ServerHello, TLSv1.2
RandomCookie:  GMT: -610246280 bytes = { 70, 37, 62, 155, 175, 120, 248, 231, 4, 71, 152, 98, 247, 174, 22, 18, 86, 41, 0, 170, 4, 134, 26, 239, 205, 141, 54, 22 }
Session ID:  {178, 41, 14, 244, 104, 222, 247, 119, 144, 93, 124, 185, 114, 149, 206, 21, 56, 116, 102, 33, 228, 33, 15, 183, 22, 68, 96, 17, 74, 96, 92, 250}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension extended_master_secret
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
update handshake state: server_hello[2]
upcoming handshake states: server certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
check handshake state: certificate[11]
update handshake state: certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: L=Prague, ST=Prague, C=CZ, OU=API Mediation Layer, O=Zowe Sample, CN=Zowe Service
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 23328975659002710030772007730154453974976384220025643873017927262464241763369073826857789060983098949124706080169862447152833357801539747442054771144475466628104542983114202998539728437429406039178537871121531704604266067205314864109740405336543649260563342353823708809584072110351580068210333922287575754202968057704050543297615766528404730253775825772710962624711341667050114957092534155723091060980196502017347388149726868825681058544002647707159708991391695303853854357099471482024993077364037294235494565126004945455900919756543971991607609449299835081643509870083048656215312005693144932755188929356681190917253
  public exponent: 65537
  Validity: [From: Mon Sep 27 14:13:39 EDT 2021,
               To: Thu Sep 25 14:13:39 EDT 2031]
  Issuer: CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ
  SerialNumber: [   -54f8b714 7adeb6f6 a2f7e051 94e1bb7d 9eaf584e]

Certificate Extensions: 5
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ]
SerialNumber: [    1f22a796]
]

[2]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
]

[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: localhost
  DNSName: localhost.localdomain
  IPAddress: 127.0.0.1
  DNSName: *.zowe.pod.cluster.local
  DNSName: *.zowe.svc.cluster.local
]

[5]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4C 15 65 02 95 61 41 E5   E1 A4 69 64 02 24 AA 35  L.e..aA...id.$.5
0010: 15 71 08 F2                                        .q..
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 5A 20 6A A9 A7 88 85 BA   E5 2D 6D C9 43 F2 C5 F2  Z j......-m.C...
0010: 21 97 34 AE 15 5A 6D 6E   02 72 8A 68 56 84 BF 6D  !.4..Zmn.r.hV..m
0020: 48 1E 3D FE 06 85 E7 CC   A2 AB 13 52 5A 59 EB 54  H.=........RZY.T
0030: E8 59 8F 05 B3 4B 9F 82   B0 AA 5A 2A D1 79 35 D0  .Y...K....Z*.y5.
0040: AF 10 1B B7 BC 1E 18 1D   5B 3D 6F 77 77 13 45 06  ........[=oww.E.
0050: 00 7E B4 17 58 E3 18 5A   34 5E 48 C5 5E 8D 31 AF  ....X..Z4^H.^.1.
0060: 89 C2 02 2B 6C 92 D7 5B   DC 72 63 F5 D7 C7 87 3D  ...+l..[.rc....=
0070: E7 C4 51 FC 55 9E 32 CA   18 5E 10 FB E3 46 10 F8  ..Q.U.2..^...F..
0080: 8D D4 DD 54 5A B6 91 67   8B BE CF 1D 4B 6D 82 D7  ...TZ..g....Km..
0090: 1D 35 22 27 6F BD BA 88   D2 62 79 73 80 71 9B 81  .5"'o....bys.q..
00A0: 2B 45 69 C1 3D 6E 6A F5   E9 29 E3 99 D9 17 CB 85  +Ei.=nj..)......
00B0: E4 14 B7 98 8D 86 6B BB   99 2A 53 91 31 E3 58 07  ......k..*S.1.X.
00C0: E6 31 07 B6 C3 48 93 B2   58 2B 2A 0E 3E 14 E2 4C  .1...H..X+*.>..L
00D0: 0E 4F 9D 63 24 D7 16 EE   1E 5B 07 A7 D4 0D EC 40  .O.c$....[.....@
00E0: 36 20 BD 72 56 5A 46 75   D3 64 1F 86 7C 70 23 E7  6 .rVZFu.d...p#.
00F0: E3 AF 09 F3 62 94 45 8D   77 F3 3B A9 6E 9D A9 E7  ....b.E.w.;.n...

]
chain [1] = [
[
  Version: V3
  Subject: CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 17522993133005893570865784891880826388606263049752098099091717946975442460269686821105517384564411609167066463913236086366550830252788198521281826687451225025748641687644794393032567397276117542280322165006871331801557893168431070367813230895423778165044024162239434408574305836667749283886839129840796443906387312814499429269828798838683888307426568146225429759443931289543718079635635858596293518300901365334672597806578663758901201856043304217926029696528387861815866242393997590654079105579873522493983923465517645556683741625655790134338095432255274926295089735589079093951508047658395732770610176216655664895571
  public exponent: 65537
  Validity: [From: Mon Sep 27 11:43:51 EDT 2021,
               To: Thu Sep 25 11:43:51 EDT 2031]
  Issuer: CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ
  SerialNumber: [    1f22a796]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 10 B5 DF 53 99 4E 14   9E 70 24 B2 59 57 2F 2B  ....S.N..p$.YW/+
0010: 70 C2 25 F4                                        p.%.
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 57 C6 FD 24 EB 4F A4 B6   D8 69 24 4C AC EB B9 B8  W..$.O...i$L....
0010: 9C 03 55 14 74 A8 2E EC   5B C5 3E 0D 92 C6 37 10  ..U.t...[.>...7.
0020: A4 65 71 44 3A 05 0F ED   72 D1 82 80 2B BA AB AF  .eqD:...r...+...
0030: 26 93 6D 6D 52 0D A7 46   7B 1D 66 09 37 EB 3D 98  &.mmR..F..f.7.=.
0040: E0 C8 BF 7F 1B 0D 05 9A   D1 01 9C BC D1 82 48 FF  ..............H.
0050: E4 7D B0 C5 3F E3 65 ED   C6 A6 4A 5A 90 9F 2A E8  ....?.e...JZ..*.
0060: 53 9E 6D E0 16 CF 4E 46   D7 9F CB 0E 6A B3 A8 C4  S.m...NF....j...
0070: A0 EE BF C6 AA EB 2F 83   5A 8A 50 77 43 37 C2 FC  ....../.Z.PwC7..
0080: 0E 87 76 CC 70 BE 2D 65   D4 0F 45 42 30 7C 5B C4  ..v.p.-e..EB0.[.
0090: 1B F1 19 E9 0A 46 3D 50   C8 43 92 B4 BD 97 6C 8A  .....F=P.C....l.
00A0: 06 57 62 61 95 7D DF F8   10 4D 85 1F 17 A5 93 D3  .Wba.....M......
00B0: A7 ED AE 90 E8 21 01 56   6B 0A 51 FB A1 F8 BD 7D  .....!.Vk.Q.....
00C0: 8A 10 0B 7D 30 B7 5E EB   E8 EA E8 D7 BB 16 5B 78  ....0.^.......[x
00D0: 7A B8 56 17 44 1E 18 BC   64 97 9F F2 99 F7 A3 A8  z.V.D...d.......
00E0: 27 93 E2 9F F5 EB 1D E5   CE 79 28 4E EE AE 96 1F  '........y(N....
00F0: FE 39 9A 8B 99 67 09 5F   BA F7 86 BA CD 3C 0B 55  .9...g._.....<.U

]
***
%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Invalidated:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching discovery-0.discovery-service.zowe.svc.cluster.local found.
Handshake failed. Service "https://discovery-0.discovery-service.zowe.svc.cluster.local:7553/eureka/apps" is not trusted. Please add CA of this certificate to your truststore keystore/truststore.p12
=============
Verifying keystore: keystore/keystore.p12  against truststore: keystore/truststore.p12
Trusted certificate is stored under alias: localca
Certificate authority: CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ
Details about valid certificate:
++++++++
Possible hostname values:
[2, localhost]
[2, localhost.localdomain]
[7, 127.0.0.1]
[2, *.zowe.pod.cluster.local]
[2, *.zowe.svc.cluster.local]
Certificate can be used for client authentication.
++++++++
tiefengjia:~/playground/certificate-analyser$ java -Djavax.net.debug=ssl:handshake:verbose -jar certificate-analyser.jar --truststore keystore/truststore.p12 --keystore keystore/keystore.p12 --keypasswd password --keyalias localhost --trustpasswd password --remoteurl https://localhost:7553/eureka/apps
adding as trusted cert:
  Subject: CN=APIML External Certificate Authority, OU=MFD, O=Broadcom, L=Prague, ST=Prague, C=CZ
  Issuer:  CN=APIML External Certificate Authority, OU=MFD, O=Broadcom, L=Prague, ST=Prague, C=CZ
  Algorithm: RSA; Serial number: 0x161a49767f1d3cb3a3f4590f3f63c89337f044bc
  Valid from Fri Aug 21 06:01:23 EDT 2020 until Thu May 18 06:01:23 EDT 2023

adding as trusted cert:
  Subject: CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ
  Issuer:  CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ
  Algorithm: RSA; Serial number: 0x1f22a796
  Valid from Mon Sep 27 11:43:51 EDT 2021 until Thu Sep 25 11:43:51 EDT 2031

adding as trusted cert:
  Subject: CN=z/OSMF CertAuth for Security Domain, OU=IZUDFLT
  Issuer:  CN=z/OSMF CertAuth for Security Domain, OU=IZUDFLT
  Algorithm: RSA; Serial number: 0x0
  Valid from Fri Sep 25 01:00:00 EDT 2015 until Thu May 18 00:59:59 EDT 2023

adding as trusted cert:
  Subject: CN=" S0W1.DAL-EBIS.IHOST.COM", OU=IZUDFLT, O=IBM
  Issuer:  CN=z/OSMF CertAuth for Security Domain, OU=IZUDFLT
  Algorithm: RSA; Serial number: 0x1
  Valid from Fri Sep 25 01:00:00 EDT 2015 until Thu May 18 00:59:59 EDT 2023

System property jdk.tls.client.cipherSuites is set to 'null'
System property jdk.tls.server.cipherSuites is set to 'null'
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_RSA_WITH_NULL_SHA256
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
Ignoring disabled cipher suite: SSL_RSA_WITH_NULL_MD5
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
trigger seeding of SecureRandom
done seeding SecureRandom
Start of the remote SSL handshake.
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(5000) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1632767226 bytes = { 168, 35, 210, 224, 25, 160, 38, 75, 74, 118, 40, 175, 220, 18, 145, 210, 112, 168, 74, 111, 95, 203, 202, 55, 102, 183, 28, 97 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
***
main, WRITE: TLSv1.2 Handshake, length = 185
main, READ: TLSv1.2 Handshake, length = 3254
check handshake state: server_hello[2]
*** ServerHello, TLSv1.2
RandomCookie:  GMT: -1482101424 bytes = { 161, 247, 135, 34, 15, 116, 16, 168, 16, 252, 153, 134, 54, 32, 43, 63, 198, 56, 191, 6, 103, 156, 74, 168, 159, 124, 91, 0 }
Session ID:  {59, 75, 144, 36, 123, 44, 228, 51, 142, 40, 135, 208, 68, 124, 231, 100, 216, 68, 48, 159, 233, 37, 138, 0, 245, 194, 66, 125, 3, 19, 52, 240}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension extended_master_secret
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
update handshake state: server_hello[2]
upcoming handshake states: server certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
check handshake state: certificate[11]
update handshake state: certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: L=Prague, ST=Prague, C=CZ, OU=API Mediation Layer, O=Zowe Sample, CN=Zowe Service
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 23328975659002710030772007730154453974976384220025643873017927262464241763369073826857789060983098949124706080169862447152833357801539747442054771144475466628104542983114202998539728437429406039178537871121531704604266067205314864109740405336543649260563342353823708809584072110351580068210333922287575754202968057704050543297615766528404730253775825772710962624711341667050114957092534155723091060980196502017347388149726868825681058544002647707159708991391695303853854357099471482024993077364037294235494565126004945455900919756543971991607609449299835081643509870083048656215312005693144932755188929356681190917253
  public exponent: 65537
  Validity: [From: Mon Sep 27 14:13:39 EDT 2021,
               To: Thu Sep 25 14:13:39 EDT 2031]
  Issuer: CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ
  SerialNumber: [   -54f8b714 7adeb6f6 a2f7e051 94e1bb7d 9eaf584e]

Certificate Extensions: 5
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ]
SerialNumber: [    1f22a796]
]

[2]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
]

[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: localhost
  DNSName: localhost.localdomain
  IPAddress: 127.0.0.1
  DNSName: *.zowe.pod.cluster.local
  DNSName: *.zowe.svc.cluster.local
]

[5]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4C 15 65 02 95 61 41 E5   E1 A4 69 64 02 24 AA 35  L.e..aA...id.$.5
0010: 15 71 08 F2                                        .q..
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 5A 20 6A A9 A7 88 85 BA   E5 2D 6D C9 43 F2 C5 F2  Z j......-m.C...
0010: 21 97 34 AE 15 5A 6D 6E   02 72 8A 68 56 84 BF 6D  !.4..Zmn.r.hV..m
0020: 48 1E 3D FE 06 85 E7 CC   A2 AB 13 52 5A 59 EB 54  H.=........RZY.T
0030: E8 59 8F 05 B3 4B 9F 82   B0 AA 5A 2A D1 79 35 D0  .Y...K....Z*.y5.
0040: AF 10 1B B7 BC 1E 18 1D   5B 3D 6F 77 77 13 45 06  ........[=oww.E.
0050: 00 7E B4 17 58 E3 18 5A   34 5E 48 C5 5E 8D 31 AF  ....X..Z4^H.^.1.
0060: 89 C2 02 2B 6C 92 D7 5B   DC 72 63 F5 D7 C7 87 3D  ...+l..[.rc....=
0070: E7 C4 51 FC 55 9E 32 CA   18 5E 10 FB E3 46 10 F8  ..Q.U.2..^...F..
0080: 8D D4 DD 54 5A B6 91 67   8B BE CF 1D 4B 6D 82 D7  ...TZ..g....Km..
0090: 1D 35 22 27 6F BD BA 88   D2 62 79 73 80 71 9B 81  .5"'o....bys.q..
00A0: 2B 45 69 C1 3D 6E 6A F5   E9 29 E3 99 D9 17 CB 85  +Ei.=nj..)......
00B0: E4 14 B7 98 8D 86 6B BB   99 2A 53 91 31 E3 58 07  ......k..*S.1.X.
00C0: E6 31 07 B6 C3 48 93 B2   58 2B 2A 0E 3E 14 E2 4C  .1...H..X+*.>..L
00D0: 0E 4F 9D 63 24 D7 16 EE   1E 5B 07 A7 D4 0D EC 40  .O.c$....[.....@
00E0: 36 20 BD 72 56 5A 46 75   D3 64 1F 86 7C 70 23 E7  6 .rVZFu.d...p#.
00F0: E3 AF 09 F3 62 94 45 8D   77 F3 3B A9 6E 9D A9 E7  ....b.E.w.;.n...

]
chain [1] = [
[
  Version: V3
  Subject: CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 17522993133005893570865784891880826388606263049752098099091717946975442460269686821105517384564411609167066463913236086366550830252788198521281826687451225025748641687644794393032567397276117542280322165006871331801557893168431070367813230895423778165044024162239434408574305836667749283886839129840796443906387312814499429269828798838683888307426568146225429759443931289543718079635635858596293518300901365334672597806578663758901201856043304217926029696528387861815866242393997590654079105579873522493983923465517645556683741625655790134338095432255274926295089735589079093951508047658395732770610176216655664895571
  public exponent: 65537
  Validity: [From: Mon Sep 27 11:43:51 EDT 2021,
               To: Thu Sep 25 11:43:51 EDT 2031]
  Issuer: CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ
  SerialNumber: [    1f22a796]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 10 B5 DF 53 99 4E 14   9E 70 24 B2 59 57 2F 2B  ....S.N..p$.YW/+
0010: 70 C2 25 F4                                        p.%.
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 57 C6 FD 24 EB 4F A4 B6   D8 69 24 4C AC EB B9 B8  W..$.O...i$L....
0010: 9C 03 55 14 74 A8 2E EC   5B C5 3E 0D 92 C6 37 10  ..U.t...[.>...7.
0020: A4 65 71 44 3A 05 0F ED   72 D1 82 80 2B BA AB AF  .eqD:...r...+...
0030: 26 93 6D 6D 52 0D A7 46   7B 1D 66 09 37 EB 3D 98  &.mmR..F..f.7.=.
0040: E0 C8 BF 7F 1B 0D 05 9A   D1 01 9C BC D1 82 48 FF  ..............H.
0050: E4 7D B0 C5 3F E3 65 ED   C6 A6 4A 5A 90 9F 2A E8  ....?.e...JZ..*.
0060: 53 9E 6D E0 16 CF 4E 46   D7 9F CB 0E 6A B3 A8 C4  S.m...NF....j...
0070: A0 EE BF C6 AA EB 2F 83   5A 8A 50 77 43 37 C2 FC  ....../.Z.PwC7..
0080: 0E 87 76 CC 70 BE 2D 65   D4 0F 45 42 30 7C 5B C4  ..v.p.-e..EB0.[.
0090: 1B F1 19 E9 0A 46 3D 50   C8 43 92 B4 BD 97 6C 8A  .....F=P.C....l.
00A0: 06 57 62 61 95 7D DF F8   10 4D 85 1F 17 A5 93 D3  .Wba.....M......
00B0: A7 ED AE 90 E8 21 01 56   6B 0A 51 FB A1 F8 BD 7D  .....!.Vk.Q.....
00C0: 8A 10 0B 7D 30 B7 5E EB   E8 EA E8 D7 BB 16 5B 78  ....0.^.......[x
00D0: 7A B8 56 17 44 1E 18 BC   64 97 9F F2 99 F7 A3 A8  z.V.D...d.......
00E0: 27 93 E2 9F F5 EB 1D E5   CE 79 28 4E EE AE 96 1F  '........y(N....
00F0: FE 39 9A 8B 99 67 09 5F   BA F7 86 BA CD 3C 0B 55  .9...g._.....<.U

]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 17522993133005893570865784891880826388606263049752098099091717946975442460269686821105517384564411609167066463913236086366550830252788198521281826687451225025748641687644794393032567397276117542280322165006871331801557893168431070367813230895423778165044024162239434408574305836667749283886839129840796443906387312814499429269828798838683888307426568146225429759443931289543718079635635858596293518300901365334672597806578663758901201856043304217926029696528387861815866242393997590654079105579873522493983923465517645556683741625655790134338095432255274926295089735589079093951508047658395732770610176216655664895571
  public exponent: 65537
  Validity: [From: Mon Sep 27 11:43:51 EDT 2021,
               To: Thu Sep 25 11:43:51 EDT 2031]
  Issuer: CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ
  SerialNumber: [    1f22a796]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 10 B5 DF 53 99 4E 14   9E 70 24 B2 59 57 2F 2B  ....S.N..p$.YW/+
0010: 70 C2 25 F4                                        p.%.
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 57 C6 FD 24 EB 4F A4 B6   D8 69 24 4C AC EB B9 B8  W..$.O...i$L....
0010: 9C 03 55 14 74 A8 2E EC   5B C5 3E 0D 92 C6 37 10  ..U.t...[.>...7.
0020: A4 65 71 44 3A 05 0F ED   72 D1 82 80 2B BA AB AF  .eqD:...r...+...
0030: 26 93 6D 6D 52 0D A7 46   7B 1D 66 09 37 EB 3D 98  &.mmR..F..f.7.=.
0040: E0 C8 BF 7F 1B 0D 05 9A   D1 01 9C BC D1 82 48 FF  ..............H.
0050: E4 7D B0 C5 3F E3 65 ED   C6 A6 4A 5A 90 9F 2A E8  ....?.e...JZ..*.
0060: 53 9E 6D E0 16 CF 4E 46   D7 9F CB 0E 6A B3 A8 C4  S.m...NF....j...
0070: A0 EE BF C6 AA EB 2F 83   5A 8A 50 77 43 37 C2 FC  ....../.Z.PwC7..
0080: 0E 87 76 CC 70 BE 2D 65   D4 0F 45 42 30 7C 5B C4  ..v.p.-e..EB0.[.
0090: 1B F1 19 E9 0A 46 3D 50   C8 43 92 B4 BD 97 6C 8A  .....F=P.C....l.
00A0: 06 57 62 61 95 7D DF F8   10 4D 85 1F 17 A5 93 D3  .Wba.....M......
00B0: A7 ED AE 90 E8 21 01 56   6B 0A 51 FB A1 F8 BD 7D  .....!.Vk.Q.....
00C0: 8A 10 0B 7D 30 B7 5E EB   E8 EA E8 D7 BB 16 5B 78  ....0.^.......[x
00D0: 7A B8 56 17 44 1E 18 BC   64 97 9F F2 99 F7 A3 A8  z.V.D...d.......
00E0: 27 93 E2 9F F5 EB 1D E5   CE 79 28 4E EE AE 96 1F  '........y(N....
00F0: FE 39 9A 8B 99 67 09 5F   BA F7 86 BA CD 3C 0B 55  .9...g._.....<.U

]
check handshake state: server_key_exchange[12]
update handshake state: server_key_exchange[12]
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 55172330605112744041021576764180282561426416110015567369494701358292710346984
  public y coord: 58886605677822029821843330208395748183758618462761632146274687625699877578310
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
check handshake state: unknown[13]
*** CertificateRequest
Cert Types: ECDSA, RSA, DSS
Supported Signature Algorithms: SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, Unknown (hash:0x8, signature:0x4), Unknown (hash:0x8, signature:0x5), Unknown (hash:0x8, signature:0x6), Unknown (hash:0x8, signature:0x9), Unknown (hash:0x8, signature:0xa), Unknown (hash:0x8, signature:0xb), SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=APIML External Certificate Authority, OU=MFD, O=Broadcom, L=Prague, ST=Prague, C=CZ>
<CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ>
<CN=z/OSMF CertAuth for Security Domain, OU=IZUDFLT>
<CN=" S0W1.DAL-EBIS.IHOST.COM", OU=IZUDFLT, O=IBM>
update handshake state: unknown[13]
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
check handshake state: server_hello_done[14]
update handshake state: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
update handshake state: certificate[11]
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 228, 169, 173, 51, 61, 160, 252, 93, 164, 34, 114, 64, 89, 93, 143, 221, 103, 221, 63, 106, 199, 200, 149, 25, 63, 131, 186, 16, 245, 200, 98, 223, 240, 202, 77, 79, 24, 4, 113, 164, 198, 56, 87, 157, 167, 248, 177, 248, 175, 19, 210, 212, 81, 127, 155, 157, 234, 54, 32, 159, 74, 104, 42, 238 }
update handshake state: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Handshake, length = 77
SESSION KEYGEN:
PreMaster Secret:
0000: 83 DA C7 2E 37 45 1A 71   85 11 7F C6 A6 FE 87 B1  ....7E.q........
0010: 36 09 34 16 13 BC 82 E6   D2 6C 4D 74 62 60 9B 71  6.4......lMtb`.q
CONNECTION KEYGEN:
Client Nonce:
0000: 61 52 0D FA A8 23 D2 E0   19 A0 26 4B 4A 76 28 AF  aR...#....&KJv(.
0010: DC 12 91 D2 70 A8 4A 6F   5F CB CA 37 66 B7 1C 61  ....p.Jo_..7f..a
Server Nonce:
0000: A8 A9 ED 50 A1 F7 87 22   0F 74 10 A8 10 FC 99 86  ...P...".t......
0010: 36 20 2B 3F C6 38 BF 06   67 9C 4A A8 9F 7C 5B 00  6 +?.8..g.J...[.
Master Secret:
0000: 5E 31 F9 65 1D D4 0B A8   F5 75 30 77 A9 43 03 31  ^1.e.....u0w.C.1
0010: 73 C9 41 5E C2 70 09 23   B1 BB FB A1 60 79 C9 D9  s.A^.p.#....`y..
0020: 04 9E 19 A6 E6 07 81 DC   32 03 33 AF BE 8E D1 B8  ........2.3.....
... no MAC keys used for this cipher
Client write key:
0000: 5F BB 4D BD 19 AA 10 1E   B7 05 F3 DB DB A2 62 4C  _.M...........bL
Server write key:
0000: 50 C3 B4 A4 B6 17 45 1C   19 91 AD 58 6F 58 02 BD  P.....E....XoX..
Client write IV:
0000: E6 B3 9A FC                                        ....
Server write IV:
0000: CF B6 E1 F1                                        ....
update handshake state: change_cipher_spec
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 35, 47, 184, 168, 103, 73, 133, 34, 213, 86, 233, 36 }
***
update handshake state: finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
update handshake state: change_cipher_spec
upcoming handshake states: server finished[20]
main, READ: TLSv1.2 Handshake, length = 40
check handshake state: finished[20]
update handshake state: finished[20]
*** Finished
verify_data:  { 123, 218, 250, 216, 145, 162, 114, 243, 246, 195, 210, 36 }
***
%% Cached client session: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, WRITE: TLSv1.2 Application Data, length = 189
main, READ: TLSv1.2 Application Data, length = 679
Handshake was successful. Service "https://localhost:7553/eureka/apps" is trusted by truststore "keystore/truststore.p12".
=============
Verifying keystore: keystore/keystore.p12  against truststore: keystore/truststore.p12
Trusted certificate is stored under alias: localca
Certificate authority: CN=Zowe Development Instances Certificate Authority, OU=API Mediation Layer, O=Zowe Sample, L=Prague, ST=Prague, C=CZ
Details about valid certificate:
++++++++
Possible hostname values:
[2, localhost]
[2, localhost.localdomain]
[7, 127.0.0.1]
[2, *.zowe.pod.cluster.local]
[2, *.zowe.svc.cluster.local]
Certificate can be used for client authentication.
++++++++

Please confirm if you can reproduce the error. Thanks.
@jackjia-ibm jackjia-ibm added bug Verified defect in functionality new New issue that has not been worked on yet labels Sep 27, 2021
@jackjia-ibm
Copy link
Member Author

jackjia-ibm commented Sep 28, 2021
edited
Loading

This is the keystore/truststore I used for above test: test-keystore.zip

And with this keystore/truststore pair, all APIML services can be started and Discovery can see all services registered correctly.

@achmelo achmelo added clarification Issue is being clarified in the discussion with the creator of the issue and removed new New issue that has not been worked on yet labels Sep 29, 2021
@jandadav
Copy link
Contributor

jandadav commented Sep 30, 2021
edited
Loading

@jackjia-ibm
As per RFC2818:

Names may contain the wildcard
   character * which is considered to match any single domain name
   component or component fragment. E.g., *.a.com matches foo.a.com but
   not bar.foo.a.com. f*.com matches foo.com but not bar.com.

Makes me think that the exception is thrown for a valid reason

Certificate for <discovery-0.discovery-service.zowe.svc.cluster.local> doesn't match any of the subject alternative names: [localhost, localhost.localdomain, 127.0.0.1, *.zowe.pod.cluster.local, *.zowe.svc.cluster.local]

the discovery-0.discovery-service.zowe.svc.cluster.local consists of 6 fragments, but the certificate SAN has 5 fragments and wilcard on the first position, so I would not anticipate it to match the provided hostname

@jandadav
Copy link
Contributor

This is the Tomcat code that does the wildcard verification fyi:

// RFC 2818, 3.1. Server Identity
// "...Names may contain the wildcard
// character * which is considered to match any single domain name
// component or component fragment..."
// Based on this statement presuming only singular wildcard is legal
final int asteriskIdx = identity.indexOf('*');
if (asteriskIdx != -1) {
    final String prefix = identity.substring(0, asteriskIdx);
    final String suffix = identity.substring(asteriskIdx + 1);
    if (!prefix.isEmpty() && !host.startsWith(prefix)) {
        return false;
    }
    if (!suffix.isEmpty() && !host.endsWith(suffix)) {
        return false;
    }
    // Additional sanity checks on content selected by wildcard can be done here
    if (strict) {
        final String remainder = host.substring(
                prefix.length(), host.length() - suffix.length());
        if (remainder.contains(".")) {
            return false;
        }
    }
    return true;

@jandadav
Copy link
Contributor

jandadav commented Sep 30, 2021
edited
Loading

Regarding why this shows in Discovery service even with http hostname verification disabled I'm checking that

This error message is always showing even APIML_DEBUG_MODE_ENABLED, ZOWE_APIM_VERIFY_CERTIFICATES, and ZOWE_APIM_NONSTRICT_VERIFY_CERTIFICATES are all false.

Are you sure these keys are correct?

@jackjia-ibm
Copy link
Member Author

Thanks David, you are right, after I put *.discovery-service.zowe.svc.cluster.local into SAN, the messages are gone. I will change my side to add those to the SAN list instead of *.zowe.svc.cluster.local.

For your question, yes ZOWE_APIM_VERIFY_CERTIFICATES and ZOWE_APIM_NONSTRICT_VERIFY_CERTIFICATES don't affect the log/result. If I have APIML_DEBUG_MODE_ENABLED enabled, the log will be flushed with that message, few entries every second. If I disable APIML_DEBUG_MODE_ENABLED, I can see one record of SSLPeerUnverifiedException message.

@jackjia-ibm jackjia-ibm mentioned this issue Oct 1, 2021
Merged
@jandadav
Copy link
Contributor

jandadav commented Oct 6, 2021

Regarding the log, the debug logging is appropriate for such messages and I don't think it's a problem.
I've tested the HostnameVerifier, and when verifyCertificates and nonstrictVerifyCertificates are both off, you will get NoopHostnameVerifier, instead of DefaultHostnameVerifier for the Eureka client. That leads me to believe that the variables in Zowe config are somehow not translating correctly. You can check from your end whether you see any problems and if yes, we can focus on that, otherwise I'd leave it at that. I will close the issue if you agree. Feel free to reopen if it's needed.

@jandadav jandadav closed this as completed Oct 6, 2021
@MarkAckert MarkAckert mentioned this issue Oct 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jandadav jandadav

Labels
bug Verified defect in functionality clarification Issue is being clarified in the discussion with the creator of the issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jandadav @achmelo @jackjia-ibm