Return-Path: X-Original-To: apmail-hc-dev-archive@www.apache.org Delivered-To: apmail-hc-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3A9B117672 for ; Wed, 12 Nov 2014 08:50:34 +0000 (UTC) Received: (qmail 84029 invoked by uid 500); 12 Nov 2014 08:50:34 -0000 Delivered-To: apmail-hc-dev-archive@hc.apache.org Received: (qmail 83984 invoked by uid 500); 12 Nov 2014 08:50:34 -0000 Mailing-List: contact dev-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpComponents Project" Delivered-To: mailing list dev@hc.apache.org Received: (qmail 83973 invoked by uid 99); 12 Nov 2014 08:50:33 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Nov 2014 08:50:33 +0000 Date: Wed, 12 Nov 2014 08:50:33 +0000 (UTC) From: "Oleg Kalnichevski (JIRA)" To: dev@hc.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HTTPCLIENT-1578) Regression between v4.1 and v4.1.1 regarding validation of SSL certificates for servers with multiple VirtualHost serving HTTPS MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HTTPCLIENT-1578?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14207829#comment-14207829 ] Oleg Kalnichevski commented on HTTPCLIENT-1578: ----------------------------------------------- Richard HttpClient supports SNI as of version 4.3.2 only. I do not see how this could be a regression (hence the resolution). Please advise the author of the Jenkins plugin to consider upgrading to HttpClient 4.3 Oleg > Regression between v4.1 and v4.1.1 regarding validation of SSL certificates for servers with multiple VirtualHost serving HTTPS > ------------------------------------------------------------------------------------------------------------------------------- > > Key: HTTPCLIENT-1578 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1578 > Project: HttpComponents HttpClient > Issue Type: Bug > Components: HttpClient > Reporter: Richard Comblen > > We have a service provider hosting a web application (Atlassian Stash) behind https proxy. The server hosting this proxy hosts other VirtualHosts using https. > We have a client application (Jenkins) submitting POST requests to that application using the httpclient library. > We realized that starting with version 4.1.1 of the library, we get an SSL exception related to hostname verification. > I've created a minimal example hosted on GitHub: https://github.com/rcomblen/HttpClientRegressionTest > Debugging, you will see that the only certificate retrieved by the SSLSocket object corresponds to atlashost.eu (the hosting provider) and not *.kreios.lu (our own certificate). > It seems the library behaves like the openssl command line if you miss the -servername argument: > {code} > $ openssl s_client -connect stash.kreios.lu:443 2>/dev/null | grep subject > subject=/description=p7VPQDLL2DWTo7A5/C=PL/ST=Gdansk/L=Gniew/O=Damian Nowak/CN=*.atlashost.eu/emailAddress=hostmaster@atlashost.eu > $ openssl s_client -connect stash.kreios.lu:443 -servername stash.kreios.lu 2>/dev/null | grep subject > subject=/serialNumber=LwCTQJjJj94odszLnywxXW0AJcv0vdlc/OU=GT98629041/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.kreios.lu > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org For additional commands, e-mail: dev-help@hc.apache.org