hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HTTPCLIENT-1613) DefaultHostNameVerifier fails matching wildcard in subject alt name
Date Mon, 16 Feb 2015 16:48:11 GMT

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Oleg Kalnichevski updated HTTPCLIENT-1613:
------------------------------------------
    Fix Version/s: 4.5 Alpha1

No wonder given that 4.3 does not make use of Mozilla PSL. One can however disable PSL check
for SSL hostname validation (while keeping it on for cookie domain validation) in 4.4 as well.

Oleg

PS: it looks like there is no way this issue can be fixed without extending public APIs, so
its resolution will require a feature release (4.5)

> DefaultHostNameVerifier fails matching wildcard in subject alt name
> -------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1613
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.4 Final
>            Reporter: √ėyvind Horneland
>              Labels: ssl
>             Fix For: 4.5 Alpha1
>
>
> Host: www.googleapis.com
> Certificate subject alt name: *.googleapis.com
> DefaultHostnameVerifier.matchDNSName throws an SSLException with message
> {quote}
> DefaultHostnameVerifier - Certificate for <www.googleapis.com> doesn't match any
of the subject alternative names: [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com,
cloudendpointsapis.com, googleapis.com]
> {quote}
> The default PublicSuffixMatcher is in use.
> Possible cause: 
> DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
> {noformat}
>     private static boolean matchIdentity(final String host, final String identity,
>                                          final PublicSuffixMatcher publicSuffixMatcher,
>                                          final boolean strict) {
>         if (publicSuffixMatcher != null && host.contains(".")) {
>             if (!matchDomainRoot(host, publicSuffixMatcher.getDomainRoot(identity)))
{
>                 return false; // WILL EXIT THE WILDCARD CHECK HERE
>             }
>         }
>         // RFC 2818, 3.1. Server Identity
>         // "...Names may contain the wildcard
>         // character * which is considered to match any single domain name
>         // component or component fragment..."
>         // Based on this statement presuming only singular wildcard is legal
>         final int asteriskIdx = identity.indexOf('*');
> {noformat}
> The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns *.googleapis.com,
but this should probably return googleapis.com (without the wildcard)? If the code reaches
the "RFC 2818" logic, then it validates just fine.
> Note: A default PublicSuffixMatcher is in use.
> Stacktrace:
> {noformat}
> 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for <www.googleapis.com>
doesn't match any of the subject alternative names: [*.googleapis.com, *.clients6.google.com,
*.cloudendpointsapis.com, cloudendpointsapis.com, googleapis.com]
> javax.net.ssl.SSLException: Certificate for <www.googleapis.com> doesn't match
any of the subject alternative names: [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com,
cloudendpointsapis.com, googleapis.com]
>      at org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157)
>      at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108)
>      at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86)
>      at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462)
>      at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
>      at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
>      at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
>      at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
>      at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
>      at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
>      at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
>      at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
>      at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
>      at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
>      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message