Øyvind Horneland created HTTPCLIENT-1613:
--------------------------------------------
Summary: DefaultHostNameVerifier fails matching wildcard in
subject alt name
Key: HTTPCLIENT-1613
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient
Affects Versions: 4.4 Final
Reporter: Øyvind Horneland
Host: www.googleapis.com
Certificate subject alt name: *.googleapis.com
DefaultHostnameVerifier.matchDNSName throws an SSLException with message
{quote}
DefaultHostnameVerifier - Certificate for <www.googleapis.com> doesn't match
any of the subject alternative names: [*.googleapis.com, *.clients6.google.com,
*.cloudendpointsapis.com, cloudendpointsapis.com, googleapis.com]
{quote}
The default PublicSuffixMatcher is in use.
Possible cause:
DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
{noformat}
private static boolean matchIdentity(final String host, final String
identity,
final PublicSuffixMatcher
publicSuffixMatcher,
final boolean strict) {
if (publicSuffixMatcher != null && host.contains(".")) {
if (!matchDomainRoot(host,
publicSuffixMatcher.getDomainRoot(identity))) {
return false; // WILL EXIT THE WILDCARD CHECK HERE
}
}
// RFC 2818, 3.1. Server Identity
// "...Names may contain the wildcard
// character * which is considered to match any single domain name
// component or component fragment..."
// Based on this statement presuming only singular wildcard is legal
final int asteriskIdx = identity.indexOf('*');
{noformat}
The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns
*.googleapis.com, but this should probably return googleapis.com (without the
wildcard)? If the code reaches the "RFC 2818" logic, then it validates just
fine.
Note: A default PublicSuffixMatcher is in use.
Stacktrace:
{noformat}
10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for
<www.googleapis.com> doesn't match any of the subject alternative names:
[*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com,
cloudendpointsapis.com, googleapis.com]
javax.net.ssl.SSLException: Certificate for <www.googleapis.com> doesn't match
any of the subject alternative names: [*.googleapis.com, *.clients6.google.com,
*.cloudendpointsapis.com, cloudendpointsapis.com, googleapis.com]
at
org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157)
at
org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108)
at
org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
at
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
