[jira] [Created] (HTTPCLIENT-1138) SSLSocketFactory incorrectly uses InetSocketAddress.toString() to get the hostname

Tue, 18 Oct 2011 22:40:43 -0700 

SSLSocketFactory incorrectly uses InetSocketAddress.toString() to get the 
hostname
----------------------------------------------------------------------------------

                 Key: HTTPCLIENT-1138
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1138
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient
    Affects Versions: 4.1.2
         Environment: Java 6u27
            Reporter: Marshall Pierce


I'm getting issues with SSL hostname verification:

javax.net.ssl.SSLException: hostname in certificate didn't match: 
<localhost/127.0.0.1> != <localhost>
        at 
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:228)
        at 
org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
        at 
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:149)
        at 
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:130)
        at 
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
        at 
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:495)
        at 
org.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)

I think the issue is on SSLSocketFactory:381.
It gets the hostname that will then be passed to the hostname verifier:

// HttpInetSocketAddress#toString() returns original hostname value of the 
remote address
String hostname = remoteAddress.toString();


This seems wrong because remoteAddress.toString() (of type InetSocketAddress) 
calls toString on the InetAddress inside the InetSocketAddress, and 
InetAddress#toString() has this in its documentation:
The string returned is of the form: hostname / literal IP address. Note that 
the comment seems to indicate the code was originally written against 
HttpInetSocketAddress, which DOES have the desired behavior on toString(). The 
runtime type of remoteAddress is java.net.InetSocketAddress, not 
HttpInetSocketAddress.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to