hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steven Schlansker (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HTTPCLIENT-1653) HttpClient does not validate maps.googleapis.com SSL certificate
Date Fri, 29 May 2015 23:27:17 GMT
Steven Schlansker created HTTPCLIENT-1653:
---------------------------------------------

             Summary: HttpClient does not validate maps.googleapis.com SSL certificate
                 Key: HTTPCLIENT-1653
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1653
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient
    Affects Versions: 4.4.1
            Reporter: Steven Schlansker
            Priority: Critical


The "maps.googleapis.com" server currently presents the following certificate:

{code:java}
chain [0] = [
[
  Version: V3
  Subject: CN=*.storage.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 24603438786799829993648986678019724241291765107767178256438229769255639603630079287976600644587296195855281469059079095367693219326954103920400266180383714041264052001835821459859979062309981001645460419612216568125600250057216485831813121470478703938651527074889693548670323978511118184793624149312062021697081807052679954878936237623840471166038329237994080148923456402909798064024275285184248122957449662230743505636400659699969523942248493865256228640211859299202173559659130845208610068933123027284385426267851138391278103759929777510485659786801300351957512079336462523079107001753896874655730331898039986696973
  public exponent: 65537
  Validity: [From: Wed May 06 02:59:24 PDT 2015,
              To: Mon Aug 03 17:00:00 PDT 2015]
  Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
  SerialNumber: [    61dbc852 b477cf78]

Certificate Extensions: 8
...
[7]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.storage.googleapis.com
  DNSName: *.commondatastorage.googleapis.com
  DNSName: *.googleapis.com
]
{code}

The "googleapis.com" name is in the "mozilla/public-suffix-list.txt" file which is used by
the PublicSuffixMatcher class to help parse DNS names.

As the following test case demonstrates, this causes validation of the Google certificate
to fail:

{code:java}
@Test
public void testGoogleSubjectAlternativeNames() throws Exception {
    DefaultHostnameVerifier.matchDNSName("maps.googleapis.com", Arrays.asList(
            "*.storage.googleapis.com",
            "*.commondatastorage.googleapis.com",
            "*.googleapis.com"), new PublicSuffixMatcher(Collections.singleton("googleapis.com"),
Collections.<String>emptySet()));
}
{code}

This is a serious regression as it prevents secure connections to Google APIs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message