hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard Comblen (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HTTPCLIENT-1578) Regression between v4.1 and v4.1.1 regarding validation of SSL certificates for servers with multiple VirtualHost serving HTTPS
Date Tue, 11 Nov 2014 12:45:33 GMT
Richard Comblen created HTTPCLIENT-1578:
-------------------------------------------

             Summary: Regression between v4.1 and v4.1.1 regarding validation of SSL certificates
for servers with multiple VirtualHost serving HTTPS
                 Key: HTTPCLIENT-1578
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1578
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient
            Reporter: Richard Comblen


We have a service provider hosting a web application (Atlassian Stash) behind https proxy.
The server hosting this proxy hosts other VirtualHosts using https.

We have a client application (Jenkins) submitting POST requests to that application using
the httpclient library.

We realized that starting with version 4.1.1 of the library, we get an SSL exception related
to hostname verification.

I've created a minimal example hosted on GitHub: https://github.com/rcomblen/HttpClientRegressionTest

Debugging, you will see that the only certificate retrieved by the SSLSocket object corresponds
to atlashost.eu (the hosting provider) and not *.kreios.lu (our own certificate).

It seems the library behaves like the openssl command line if you miss the -servername argument:
{code}
$ openssl s_client -connect stash.kreios.lu:443 2>/dev/null | grep subject
subject=/description=p7VPQDLL2DWTo7A5/C=PL/ST=Gdansk/L=Gniew/O=Damian Nowak/CN=*.atlashost.eu/emailAddress=hostmaster@atlashost.eu
$ openssl s_client -connect stash.kreios.lu:443 -servername stash.kreios.lu 2>/dev/null
| grep subject
subject=/serialNumber=LwCTQJjJj94odszLnywxXW0AJcv0vdlc/OU=GT98629041/OU=See www.rapidssl.com/resources/cps
(c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.kreios.lu
{code}






--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message