hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tar (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
Date Tue, 19 May 2015 18:01:01 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14550893#comment-14550893
] 

Tar edited comment on HTTPCLIENT-1613 at 5/19/15 6:00 PM:
----------------------------------------------------------

Hello, I am new to HttpClient and I found this entry for the same issue as the original poster
that I am getting. 

originally I was invoking my client by using this line:

HttpClient client = HttpClients.createDefault()

but because I was getting an error like this while sending something to AWS :

javax.net.ssl.SSLPeerUnverifiedException: Host name 'instructure-uploads.s3.amazonaws.com'
does not match the certificate subject provided by the peer (CN=*.s3.amazonaws.com, OU=S3-A,
O=Amazon.com Inc., L=Seattle, ST=Washington, C=US)

I started using this code :

HttpClient  client = HttpClients.custom().setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).build();

I am currently using version 4.4. So just to clarify for me, are you saying that when version
4.5 is official I should go back to using :

HttpClient client = HttpClients.createDefault()

as the correct code?

P.S. I agree that fundamentally what google and now also AWS are doing makes no common sense
but like in my case I am getting info via a webservice so I am forced to take what I get and
have to use it.

Thank you for your advice.


was (Author: tarpatel):
Hello, I am new to HttpClient and I found this entry for the same issue as the original poster
that I am getting. 

originally I was invoking my client by using this line:

HttpClient client = HttpClients.createDefault()

but because I was getting an error like this while sending something to AWS :

javax.net.ssl.SSLPeerUnverifiedException: Host name 'instructure-uploads.s3.amazonaws.com'
does not match the certificate subject provided by the peer (CN=*.s3.amazonaws.com, OU=S3-A,
O=Amazon.com Inc., L=Seattle, ST=Washington, C=US)

I started using this code :

HttpClient  client = HttpClients.custom().setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).build();

I am currently using version 4.4. So just to clarify for me, are you saying that when version
4.5 is official I should go back to using :

HttpClient client = HttpClients.createDefault()

as the correct code?

P.S. I agree that fundamentally what google and now also AWS are doing makes no common sense
but like in my case I am getting info via a webservice so I am forced to take what I get and
have to use it.

Thank you.

Thank you for your advice.

> Support for so called 'private' domains in Mozilla Public Suffix List
> ---------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1613
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>    Affects Versions: 4.4 Final
>            Reporter: √ėyvind Horneland
>            Assignee: Oleg Kalnichevski
>              Labels: ssl
>             Fix For: 4.5
>
>
> Host: www.googleapis.com
> Certificate subject alt name: *.googleapis.com
> DefaultHostnameVerifier.matchDNSName throws an SSLException with message
> {quote}
> DefaultHostnameVerifier - Certificate for <www.googleapis.com> doesn't match any
of the subject alternative names: [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com,
cloudendpointsapis.com, googleapis.com]
> {quote}
> The default PublicSuffixMatcher is in use.
> Possible cause: 
> DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
> {noformat}
>     private static boolean matchIdentity(final String host, final String identity,
>                                          final PublicSuffixMatcher publicSuffixMatcher,
>                                          final boolean strict) {
>         if (publicSuffixMatcher != null && host.contains(".")) {
>             if (!matchDomainRoot(host, publicSuffixMatcher.getDomainRoot(identity)))
{
>                 return false; // WILL EXIT THE WILDCARD CHECK HERE
>             }
>         }
>         // RFC 2818, 3.1. Server Identity
>         // "...Names may contain the wildcard
>         // character * which is considered to match any single domain name
>         // component or component fragment..."
>         // Based on this statement presuming only singular wildcard is legal
>         final int asteriskIdx = identity.indexOf('*');
> {noformat}
> The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns *.googleapis.com,
but this should probably return googleapis.com (without the wildcard)? If the code reaches
the "RFC 2818" logic, then it validates just fine.
> Note: A default PublicSuffixMatcher is in use.
> Stacktrace:
> {noformat}
> 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for <www.googleapis.com>
doesn't match any of the subject alternative names: [*.googleapis.com, *.clients6.google.com,
*.cloudendpointsapis.com, cloudendpointsapis.com, googleapis.com]
> javax.net.ssl.SSLException: Certificate for <www.googleapis.com> doesn't match
any of the subject alternative names: [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com,
cloudendpointsapis.com, googleapis.com]
>      at org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157)
>      at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108)
>      at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86)
>      at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462)
>      at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
>      at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
>      at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
>      at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
>      at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
>      at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
>      at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
>      at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
>      at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
>      at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
>      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message