Richard Comblen created HTTPCLIENT-1578:
-------------------------------------------
Summary: Regression between v4.1 and v4.1.1 regarding validation
of SSL certificates for servers with multiple VirtualHost serving HTTPS
Key: HTTPCLIENT-1578
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1578
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient
Reporter: Richard Comblen
We have a service provider hosting a web application (Atlassian Stash) behind
https proxy. The server hosting this proxy hosts other VirtualHosts using https.
We have a client application (Jenkins) submitting POST requests to that
application using the httpclient library.
We realized that starting with version 4.1.1 of the library, we get an SSL
exception related to hostname verification.
I've created a minimal example hosted on GitHub:
https://github.com/rcomblen/HttpClientRegressionTest
Debugging, you will see that the only certificate retrieved by the SSLSocket
object corresponds to atlashost.eu (the hosting provider) and not *.kreios.lu
(our own certificate).
It seems the library behaves like the openssl command line if you miss the
-servername argument:
{code}
$ openssl s_client -connect stash.kreios.lu:443 2>/dev/null | grep subject
subject=/description=p7VPQDLL2DWTo7A5/C=PL/ST=Gdansk/L=Gniew/O=Damian
Nowak/CN=*.atlashost.eu/emailAddress=hostmas...@atlashost.eu
$ openssl s_client -connect stash.kreios.lu:443 -servername stash.kreios.lu
2>/dev/null | grep subject
subject=/serialNumber=LwCTQJjJj94odszLnywxXW0AJcv0vdlc/OU=GT98629041/OU=See
www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated -
RapidSSL(R)/CN=*.kreios.lu
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
