Fix SSL hostname verification failure in PullNotificationsTask#110
Closed
mherman22 wants to merge 1 commit into
Closed
Fix SSL hostname verification failure in PullNotificationsTask#110mherman22 wants to merge 1 commit into
mherman22 wants to merge 1 commit into
Conversation
mherman22
added a commit
to mherman22/sedish
that referenced
this pull request
Apr 4, 2026
- Fix mpi-client.pid.exportIdentitiferType: change "Patient ID=iSantePlus ID" to "iSantePlus ID=iSantePlus ID" to match actual identifier type name in DB - Add patched santedb-mpiclient-1.1.4.omod with proxy privileges (Get Identifier Types, Get/Edit/Add Patient Identifiers) in PatientSyncWorker and PatientUpdateWorker to fix APIAuthenticationException on every patient sync The xds-sender SSL fix (SSLPeerUnverifiedException on PullNotificationsTask) is submitted upstream as IsantePlus/openmrs-module-xds-sender#110. The mpi-client privilege fix is submitted upstream as IsantePlus/openmrs-module-mpi-client#58. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
0c5cc96 to
7384670
Compare
4 tasks
mherman22
added a commit
to mherman22/sedish
that referenced
this pull request
Apr 4, 2026
Replaces xds-sender-2.5.0-SNAPSHOT.omod with 2.5.9 built from IsantePlus/openmrs-module-xds-sender fix/pull-notifications-ssl branch. Includes fix for SSLPeerUnverifiedException in PullNotificationsTask: when xdssender.exportCcd.ignoreCerts=true, the OkHttpClient now bypasses hostname verification — matching the existing behavior for CCD export. See: IsantePlus/openmrs-module-xds-sender#110 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
e525385 to
8245e73
Compare
The OkHttpClient in NotificationsPullPointClientImpl used default SSL configuration, causing SSLPeerUnverifiedException when the server certificate CN does not match the hostname (e.g., behind a load balancer or reverse proxy). Reuse the existing xdssender.exportCcd.ignoreCerts global property to optionally bypass SSL hostname verification and certificate validation for the pull notifications endpoint, matching the behavior already available for CCD export via XdsRetriever. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
8245e73 to
a6f6bb5
Compare
Contributor
|
The underlying issue here is a misconfiguration on sedish-haiti.org not something we should be working around. By just blindly accepting SSL certificates, we lose most of the value SSL provides. |
8 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
OkHttpClientinNotificationsPullPointClientImpl.getResponseHttpClient()is created with default SSL configuration:When the
PullNotificationsTaskconnects to the OpenHIM endpoint (e.g.,https://openhim.sedish-haiti.org/dsub), the DNS may resolve to an intermediary (load balancer, reverse proxy, CDN) that presents its own SSL certificate. The defaultOkHttpClientperforms hostname verification — it checks that the certificate's CN/SAN matches the requested hostname. When they don't match, it throws:This fires every hour on the scheduled task and blocks all pull notifications.
Fix
When the existing
xdssender.exportCcd.ignoreCertsglobal property istrue, configure theOkHttpClientwith:TrustManagerthat accepts all certificates (skips chain validation)HostnameVerifierthat accepts any hostname (skips CN/SAN matching)This matches the behavior already available for CCD export via
XdsRetriever, which usesAllowAllHostnameVerifierwhen the same property is set.Note: This is a workaround for environments where the SSL certificate does not match the hostname. The proper long-term fix is to ensure the certificate presented at the endpoint matches the configured hostname.
Changes
One file:
NotificationsPullPointClientImpl.java🤖 Generated with Claude Code