hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1578) Regression between v4.1 and v4.1.1 regarding validation of SSL certificates for servers with multiple VirtualHost serving HTTPS
Date Wed, 12 Nov 2014 08:50:33 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1578?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14207829#comment-14207829
] 

Oleg Kalnichevski commented on HTTPCLIENT-1578:
-----------------------------------------------

Richard
HttpClient supports SNI as of version 4.3.2 only. I do not see how this could be a regression
(hence the resolution). Please advise the author of the Jenkins plugin to consider upgrading
to HttpClient 4.3

Oleg

> Regression between v4.1 and v4.1.1 regarding validation of SSL certificates for servers
with multiple VirtualHost serving HTTPS
> -------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1578
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1578
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>            Reporter: Richard Comblen
>
> We have a service provider hosting a web application (Atlassian Stash) behind https proxy.
The server hosting this proxy hosts other VirtualHosts using https.
> We have a client application (Jenkins) submitting POST requests to that application using
the httpclient library.
> We realized that starting with version 4.1.1 of the library, we get an SSL exception
related to hostname verification.
> I've created a minimal example hosted on GitHub: https://github.com/rcomblen/HttpClientRegressionTest
> Debugging, you will see that the only certificate retrieved by the SSLSocket object corresponds
to atlashost.eu (the hosting provider) and not *.kreios.lu (our own certificate).
> It seems the library behaves like the openssl command line if you miss the -servername
argument:
> {code}
> $ openssl s_client -connect stash.kreios.lu:443 2>/dev/null | grep subject
> subject=/description=p7VPQDLL2DWTo7A5/C=PL/ST=Gdansk/L=Gniew/O=Damian Nowak/CN=*.atlashost.eu/emailAddress=hostmaster@atlashost.eu
> $ openssl s_client -connect stash.kreios.lu:443 -servername stash.kreios.lu 2>/dev/null
| grep subject
> subject=/serialNumber=LwCTQJjJj94odszLnywxXW0AJcv0vdlc/OU=GT98629041/OU=See www.rapidssl.com/resources/cps
(c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.kreios.lu
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message