Skip to content

Fix SSL hostname verification failure in PullNotificationsTask#110

Closed
mherman22 wants to merge 1 commit into
IsantePlus:mainfrom
mherman22:fix/pull-notifications-ssl
Closed

Fix SSL hostname verification failure in PullNotificationsTask#110
mherman22 wants to merge 1 commit into
IsantePlus:mainfrom
mherman22:fix/pull-notifications-ssl

Conversation

@mherman22

@mherman22 mherman22 commented Apr 4, 2026

Copy link
Copy Markdown
Contributor

Problem

The OkHttpClient in NotificationsPullPointClientImpl.getResponseHttpClient() is created with default SSL configuration:

OkHttpClient client = new OkHttpClient().newBuilder().build();

When the PullNotificationsTask connects to the OpenHIM endpoint (e.g., https://openhim.sedish-haiti.org/dsub), the DNS may resolve to an intermediary (load balancer, reverse proxy, CDN) that presents its own SSL certificate. The default OkHttpClient performs hostname verification — it checks that the certificate's CN/SAN matches the requested hostname. When they don't match, it throws:

SSLPeerUnverifiedException: Hostname openhim.sedish-haiti.org not verified:
    certificate: CN=lfcsdp.cell-1.prod.eu-central-1.prod.connect.aws.a2z.com

This fires every hour on the scheduled task and blocks all pull notifications.

Fix

When the existing xdssender.exportCcd.ignoreCerts global property is true, configure the OkHttpClient with:

  • A TrustManager that accepts all certificates (skips chain validation)
  • A HostnameVerifier that accepts any hostname (skips CN/SAN matching)

This matches the behavior already available for CCD export via XdsRetriever, which uses AllowAllHostnameVerifier when the same property is set.

Note: This is a workaround for environments where the SSL certificate does not match the hostname. The proper long-term fix is to ensure the certificate presented at the endpoint matches the configured hostname.

Changes

One file: NotificationsPullPointClientImpl.java

🤖 Generated with Claude Code

mherman22 added a commit to mherman22/sedish that referenced this pull request Apr 4, 2026
- Fix mpi-client.pid.exportIdentitiferType: change "Patient ID=iSantePlus ID"
  to "iSantePlus ID=iSantePlus ID" to match actual identifier type name in DB
- Add patched santedb-mpiclient-1.1.4.omod with proxy privileges
  (Get Identifier Types, Get/Edit/Add Patient Identifiers) in
  PatientSyncWorker and PatientUpdateWorker to fix
  APIAuthenticationException on every patient sync

The xds-sender SSL fix (SSLPeerUnverifiedException on PullNotificationsTask)
is submitted upstream as IsantePlus/openmrs-module-xds-sender#110.
The mpi-client privilege fix is submitted upstream as
IsantePlus/openmrs-module-mpi-client#58.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mherman22 mherman22 force-pushed the fix/pull-notifications-ssl branch 2 times, most recently from 0c5cc96 to 7384670 Compare April 4, 2026 11:31
mherman22 added a commit to mherman22/sedish that referenced this pull request Apr 4, 2026
Replaces xds-sender-2.5.0-SNAPSHOT.omod with 2.5.9 built from
IsantePlus/openmrs-module-xds-sender fix/pull-notifications-ssl branch.

Includes fix for SSLPeerUnverifiedException in PullNotificationsTask:
when xdssender.exportCcd.ignoreCerts=true, the OkHttpClient now bypasses
hostname verification — matching the existing behavior for CCD export.

See: IsantePlus/openmrs-module-xds-sender#110

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mherman22 mherman22 force-pushed the fix/pull-notifications-ssl branch 4 times, most recently from e525385 to 8245e73 Compare April 4, 2026 14:02
The OkHttpClient in NotificationsPullPointClientImpl used default SSL
configuration, causing SSLPeerUnverifiedException when the server
certificate CN does not match the hostname (e.g., behind a load
balancer or reverse proxy).

Reuse the existing xdssender.exportCcd.ignoreCerts global property to
optionally bypass SSL hostname verification and certificate validation
for the pull notifications endpoint, matching the behavior already
available for CCD export via XdsRetriever.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mherman22 mherman22 force-pushed the fix/pull-notifications-ssl branch from 8245e73 to a6f6bb5 Compare April 4, 2026 18:26
@ibacher

ibacher commented Apr 6, 2026

Copy link
Copy Markdown
Contributor

The underlying issue here is a misconfiguration on sedish-haiti.org not something we should be working around. By just blindly accepting SSL certificates, we lose most of the value SSL provides.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants