[jira] [Resolved] (HTTPCLIENT-1138) SSLSocketFactory incorrectly uses InetSocketAddress.toString() to get the hostname

[Oleg Kalnichevski (Resolved) (JIRA)]

     [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oleg Kalnichevski resolved HTTPCLIENT-1138.
-------------------------------------------

    Resolution: Won't Fix

This problem has been fixed in SVN trunk (4.2). As far as stable 4.1.x releases 
are concerned just do not use deprecated methods / classes. The bug affects 
deprecated code only.

Oleg
                
> SSLSocketFactory incorrectly uses InetSocketAddress.toString() to get the 
> hostname
> ----------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1138
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1138
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.1.2
>         Environment: Java 6u27
>            Reporter: Marshall Pierce
>
> I'm getting issues with SSL hostname verification:
> javax.net.ssl.SSLException: hostname in certificate didn't match: 
> <localhost/127.0.0.1> != <localhost>
>       at 
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:228)
>       at 
> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
>       at 
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:149)
>       at 
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:130)
>       at 
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
>       at 
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:495)
>       at 
> org.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
> I think the issue is on SSLSocketFactory:381.
> It gets the hostname that will then be passed to the hostname verifier:
> // HttpInetSocketAddress#toString() returns original hostname value of the 
> remote address
> String hostname = remoteAddress.toString();
> This seems wrong because remoteAddress.toString() (of type InetSocketAddress) 
> calls toString on the InetAddress inside the InetSocketAddress, and 
> InetAddress#toString() has this in its documentation:
> The string returned is of the form: hostname / literal IP address. Note that 
> the comment seems to indicate the code was originally written against 
> HttpInetSocketAddress, which DOES have the desired behavior on toString(). 
> The runtime type of remoteAddress is java.net.InetSocketAddress, not 
> HttpInetSocketAddress.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org