commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adam Lynam (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (NET-605) FTPSClient forces IP in SubjectAlternativeNames field for server certificate validation instead of hostname
Date Wed, 01 Mar 2017 12:27:45 GMT

    [ https://issues.apache.org/jira/browse/NET-605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15890068#comment-15890068
] 

Adam Lynam commented on NET-605:
--------------------------------

The above gives me:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No subject alternative names matching IP address 195.144.107.198 found
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
	at org.apache.commons.net.ftp.FTPSClient.sslNegotiation(FTPSClient.java:289)
	at org.apache.commons.net.ftp.FTPSClient._connectAction_(FTPSClient.java:220)
	at org.apache.commons.net.SocketClient.connect(SocketClient.java:189)
	at org.apache.commons.net.SocketClient.connect(SocketClient.java:209)
	at FTPSClientIPRequiredExample.main(FTPSClientIPRequiredExample.java:13)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147)
Caused by: java.security.cert.CertificateException: No subject alternative names matching
IP address 195.144.107.198 found
	at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:167)
	at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1018)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:985)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
	... 17 more

Process finished with exit code 1

> FTPSClient forces IP in SubjectAlternativeNames field for server certificate validation
instead of hostname
> -----------------------------------------------------------------------------------------------------------
>
>                 Key: NET-605
>                 URL: https://issues.apache.org/jira/browse/NET-605
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP
>    Affects Versions: 3.5
>            Reporter: Adam Lynam
>
> We have an FTP Server with a signed certificate, with both CN and SAN DNS entries set
to the respective hostname of the machine.
> When attempting to connect using FTPSClient, we get java.security.cert.CertificateException:
No subject alternative names matching IP address x.x.x.x found. The FTPSClient appears to
resolve the IP address and pass that through the SSLSocket where it eventually raises the
exception.
> While we initially encountered the error against our internal FTP server, we have confirmed
the same issue against a public FTP server. ftps://demo:password@test.rebex.net.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message