hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: I get SSLPeerUnverifiedException after upgrading from 4.3.6 to 4.4
Date Fri, 06 Feb 2015 10:03:39 GMT
On Thu, 2015-02-05 at 19:51 -0800, Sean Shubin wrote:
> /*
> Here is sample Scala code that repeats the problem
> I have tried to include all relevant information.
> Perhaps I was using it wrong all along, and the upgrade to 4.4 just exposed
> that.
> Either way, any guidance would be appreciated.
> */
> 
> package com.seanshubin.debug_me.console
> 
> import org.apache.http.client.methods._
> import org.apache.http.impl.client.HttpClients
> 
> object ConsoleApplication extends App {
>   val url = "https://raw.githubusercontent.com/requirejs/text/latest/text.js
> "
>   val httpGet = new HttpGet(url)
>   val httpClient = HttpClients.createDefault()
>   val httpResponse = httpClient.execute(httpGet)
>   val statusCode = httpResponse.getStatusLine.getStatusCode
>   println(statusCode)
> }
> 
> /*
> Behavior before upgrade
> 
> <dependency>
>   <groupId>org.apache.httpcomponents</groupId>
>   <artifactId>httpclient</artifactId>
>   <version>4.3.6</version>
> </dependency>
> 
> 200
> 
> ----------------------------------------------------------------------------------------------------
> Behavior after upgrade
> 
> <dependency>
>   <groupId>org.apache.httpcomponents</groupId>
>   <artifactId>httpclient</artifactId>
>   <version>4.4</version>
> </dependency>
> 
> Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: Host
> name 'raw.githubusercontent.com' does not match the certificate subject
> provided by the peer (CN=www.github.com, O="Fastly, Inc.", L=San Francisco,
> ST=California, C=US)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:466)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
> at
> com.seanshubin.debug_me.console.ConsoleApplication$.delayedEndpoint$com$seanshubin$debug_me$console$ConsoleApplication$1(ConsoleApplication.scala:10)
> at
> com.seanshubin.debug_me.console.ConsoleApplication$delayedInit$body.apply(ConsoleApplication.scala:6)
> at scala.Function0$class.apply$mcV$sp(Function0.scala:40)
> at scala.runtime.AbstractFunction0.apply$mcV$sp(AbstractFunction0.scala:12)
> at scala.App$anonfun$main$1.apply(App.scala:76)
> at scala.App$anonfun$main$1.apply(App.scala:76)
> at scala.collection.immutable.List.foreach(List.scala:381)
> at
> scala.collection.generic.TraversableForwarder$class.foreach(TraversableForwarder.scala:35)
> at scala.App$class.main(App.scala:76)
> at
> com.seanshubin.debug_me.console.ConsoleApplication$.main(ConsoleApplication.scala:6)
> at
> com.seanshubin.debug_me.console.ConsoleApplication.main(ConsoleApplication.scala)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:483)
> at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
> 
> */

[DEBUG] DefaultHttpClientConnectionOperator - Connecting to
raw.githubusercontent.com/185.31.17.133:443
[DEBUG] SSLConnectionSocketFactory - Connecting socket to
raw.githubusercontent.com/185.31.17.133:443 with timeout 0
[DEBUG] SSLConnectionSocketFactory - Enabled protocols: [TLSv1]
[DEBUG] SSLConnectionSocketFactory - Enabled cipher
suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
[DEBUG] SSLConnectionSocketFactory - Starting handshake
[DEBUG] SSLConnectionSocketFactory - Secure session established
[DEBUG] SSLConnectionSocketFactory -  negotiated protocol: TLSv1
[DEBUG] SSLConnectionSocketFactory -  negotiated cipher suite:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[DEBUG] SSLConnectionSocketFactory -  peer principal: CN=www.github.com,
O="Fastly, Inc.", L=San Francisco, ST=California, C=US
[DEBUG] SSLConnectionSocketFactory -  peer alternative names:
[www.github.com, *.github.com, *.github.io, *.githubusercontent.com]
[DEBUG] SSLConnectionSocketFactory -  issuer principal: CN=DigiCert High
Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
---

Public suffix list contains the following entries
---
// GitHub, Inc.
// Submitted by Ben Toews <btoews@github.com> 2014-02-06
github.io
githubusercontent.com
---

This makes 'githubusercontent.com' a public name space like 'com'
 or 'co.uk'. Based on that HC 4.4 cannot accept
'*.githubusercontent.com' alternative subject name as being too broad.
For details see
https://publicsuffix.org/

Oleg


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message