hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb AT ASF <s...@apache.org>
Subject Re: httpclient version upgrade causing SSL exceptions
Date Mon, 07 Nov 2011 19:20:16 GMT
On 7 November 2011 18:45, Ryan J Baxter <rjbaxter@us.ibm.com> wrote:
> I have been seeing SSL exceptions being thrown relating to certificates not
> matching in builds from trunk recently.  I have traced this back to a
> httpclient upgrade from 4.1.1 to 4.1.2.  Would anyone be opposed to
> reverting back to 4.1.1 for the time being?
>
> Looking that the changes that went into 4.1.2, this change looks like it
> might be related to the problem.  I have CCed Sebastian, maybe he can
> confirm.

This should really have been fed back to all the HttpComponents
developers via e-mail or JIRA issue; I'm copying the mailing on this
reply.

>
> * [HTTPCLIENT-1097] BrowserCompatHostnameVerifier and StrictHostnameVerifier
> should handle
>  wildcards in SSL certificates better.
>  Contributed by Sebastian Bazley <sebb at apache.org>

> INFO: The following exception occurred when fetching
> https://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js:405 ms
> elapsed.
> Nov 7, 2011 1:38:28 PM org.apache.shindig.gadgets.http.BasicHttpFetcher
> fetch
> INFO:
> javax.net.ssl.SSLException: hostname in certificate didn't match:
> <ajax.googleapis.com/74.125.115.95> != <*.googleapis.com> OR
> <googleapis.com> OR <*.googleapis.com>
>         at

It's not obvious why the hostname includes an IP address as well as a name.
I don't yet know if the validation is supposed to cope with that or not.

Also rather odd is that the hostname and IP address do not agree.

It's quite possible that the validation is wrong, and it should allow
for the /IP suffix, but it's also possible that the wrong hostname is
being passed to the validation method.

> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:228)
>         at
> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
>         at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:149)
>         at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:130)
>         at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
>         at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:495)
>         at
> org.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
>         at
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
>         at
> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
>         at
> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
>         at
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
>         at
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
>         at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
>         at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:776)
>         at
> org.apache.shindig.gadgets.http.BasicHttpFetcher.fetch(BasicHttpFetcher.java:361)
>         at
> org.apache.shindig.gadgets.http.DefaultRequestPipeline.execute(DefaultRequestPipeline.java:108)
>         at
> org.apache.shindig.gadgets.http.MultipleResourceHttpFetcher$HttpFetchCallable.call(MultipleResourceHttpFetcher.java:105)
>         at
> org.apache.shindig.gadgets.http.MultipleResourceHttpFetcher$HttpFetchCallable.call(MultipleResourceHttpFetcher.java:92)
>         at
> java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
>         at java.util.concurrent.FutureTask.run(FutureTask.java:138)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>         at java.lang.Thread.run(Thread.java:662)
> Nov 7, 2011 1:38:28 PM org.apache.shindig.gadgets.servlet.ConcatProxyServlet
> outputError
> INFO: The following error occurred when requesting a concatenated proxy: /*
> ---- Error INTERNAL_SERVER_ERROR
> concat(https://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js)
> javax.net.ssl.SSLException: hostname in certificate didn't match:
> <ajax.googleapis.com/74.125.115.95> != <*.googleapis.com> OR
> <googleapis.com> OR <*.googleapis.com> ---- */.
>
> -Ryan
>
> Email: rjbaxter@us.ibm.com
> Phone: 978-899-3041
> developerWorks Profile
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message