Details
-
Bug
-
Resolution: Done
-
Major
-
6.4.4.GA
-
None
Description
We are having problems connecting BRMS with a Artifactory Repository hosted and provided with AWS + OCP (using SNI for SSL). The problem seems that the HttpClient library provided with BRMS don't support SNI requests, the stack trace is:
12:47:21,832 DEBUG [org.kie.scanner.MavenRepository] (EJB default - 7) Unable to resolve artifact: sample:test:1.0: org.eclipse.aether.resolution.ArtifactResolutionException: Could not transfer artifact sample:test:jar:1.0 from/to groupArtifactory (https://default.artifactory.eu-central.aws.test.com/artifactory/virtual_maven): hostname in certificate didn't match: <default.artifactory.eu-central.aws.test.com> != <www.example.com> at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:444) [aether-impl-1.0.0.v20140518.jar:] at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:246) [aether-impl-1.0.0.v20140518.jar:] at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifact(DefaultArtifactResolver.java:223) [aether-impl-1.0.0.v20140518.jar:] at org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveArtifact(DefaultRepositorySystem.java:294) [aether-impl-1.0.0.v20140518.jar:] at org.kie.scanner.MavenRepository.resolveArtifact(MavenRepository.java:167) [kie-ci-6.5.0.Final-redhat-12.jar:6.5.0.Final-redhat-12] at org.kie.scanner.MavenRepository.resolveArtifact(MavenRepository.java:155) [kie-ci-6.5.0.Final-redhat-12.jar:6.5.0.Final-redhat-12] at org.kie.scanner.MavenRepository.resolveArtifact(MavenRepository.java:151) [kie-ci-6.5.0.Final-redhat-12.jar:6.5.0.Final-redhat-12] at org.kie.scanner.ArtifactResolver.resolveArtifact(ArtifactResolver.java:68) [kie-ci-6.5.0.Final-redhat-12.jar:6.5.0.Final-redhat-12] at org.kie.scanner.KieRepositoryScannerImpl.loadArtifact(KieRepositoryScannerImpl.java:153) [kie-ci-6.5.0.Final-redhat-12.jar:6.5.0.Final-redhat-12] at org.kie.scanner.KieRepositoryScannerImpl.loadArtifact(KieRepositoryScannerImpl.java:149) [kie-ci-6.5.0.Final-redhat-12.jar:6.5.0.Final-redhat-12] at org.drools.compiler.kie.builder.impl.KieRepositoryImpl.loadKieModuleFromMavenRepo(KieRepositoryImpl.java:157) [drools-compiler-6.5.0.Final-redhat-12.jar:6.5.0.Final-redhat-12] ... Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match: <default.artifactory.eu-central.aws.test.com> != <www.example.com> at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:159) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:140) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:561) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:536) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.DecompressingHttpClient.execute(DecompressingHttpClient.java:158) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.eclipse.aether.transport.http.HttpTransporter.execute(HttpTransporter.java:279) [aether-transport-http-1.0.0.v20140518.jar:] at org.eclipse.aether.transport.http.HttpTransporter.implGet(HttpTransporter.java:235) [aether-transport-http-1.0.0.v20140518.jar:] at org.eclipse.aether.spi.connector.transport.AbstractTransporter.get(AbstractTransporter.java:59) [aether-spi-1.0.0.v20140518.jar:] at org.eclipse.aether.connector.basic.BasicRepositoryConnector$GetTaskRunner.runTask(BasicRepositoryConnector.java:447) [aether-connector-basic-1.0.0.v20140518.jar:] at org.eclipse.aether.connector.basic.BasicRepositoryConnector$TaskRunner.run(BasicRepositoryConnector.java:350) [aether-connector-basic-1.0.0.v20140518.jar:] ... 85 more
The request is not including the servername for SNI and is receiving an invalid certificate.
Some more testing showed that the same code works with HttpClient 4.5.3.
The code change that would make the difference is this one:
https://issues.apache.org/jira/browse/HTTPCLIENT-1726
https://github.com/apache/httpcomponents-client/pull/47/commits/3c4059d1e5a38bae61d3b0a7d92adb1ab43eb4df
With the explanation in this JIRA:
https://issues.apache.org/jira/browse/HTTPCLIENT-1119?focusedCommentId=13769887&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13769887
Request to upgrade the HttpClient library included in BRMS.