[jira] [Updated] (HTTPCLIENT-1613) DefaultHostNameVerifier fails matching wildcard in subject alt name

Mon, 16 Feb 2015 08:48:51 -0800 

     [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oleg Kalnichevski updated HTTPCLIENT-1613:
------------------------------------------
    Fix Version/s: 4.5 Alpha1

No wonder given that 4.3 does not make use of Mozilla PSL. One can however 
disable PSL check for SSL hostname validation (while keeping it on for cookie 
domain validation) in 4.4 as well.

Oleg

PS: it looks like there is no way this issue can be fixed without extending 
public APIs, so its resolution will require a feature release (4.5)

> DefaultHostNameVerifier fails matching wildcard in subject alt name
> -------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1613
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.4 Final
>            Reporter: Øyvind Horneland
>              Labels: ssl
>             Fix For: 4.5 Alpha1
>
>
> Host: www.googleapis.com
> Certificate subject alt name: *.googleapis.com
> DefaultHostnameVerifier.matchDNSName throws an SSLException with message
> {quote}
> DefaultHostnameVerifier - Certificate for <www.googleapis.com> doesn't match 
> any of the subject alternative names: [*.googleapis.com, 
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, 
> googleapis.com]
> {quote}
> The default PublicSuffixMatcher is in use.
> Possible cause: 
> DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
> {noformat}
>     private static boolean matchIdentity(final String host, final String 
> identity,
>                                          final PublicSuffixMatcher 
> publicSuffixMatcher,
>                                          final boolean strict) {
>         if (publicSuffixMatcher != null && host.contains(".")) {
>             if (!matchDomainRoot(host, 
> publicSuffixMatcher.getDomainRoot(identity))) {
>                 return false; // WILL EXIT THE WILDCARD CHECK HERE
>             }
>         }
>         // RFC 2818, 3.1. Server Identity
>         // "...Names may contain the wildcard
>         // character * which is considered to match any single domain name
>         // component or component fragment..."
>         // Based on this statement presuming only singular wildcard is legal
>         final int asteriskIdx = identity.indexOf('*');
> {noformat}
> The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns 
> *.googleapis.com, but this should probably return googleapis.com (without the 
> wildcard)? If the code reaches the "RFC 2818" logic, then it validates just 
> fine.
> Note: A default PublicSuffixMatcher is in use.
> Stacktrace:
> {noformat}
> 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for 
> <www.googleapis.com> doesn't match any of the subject alternative names: 
> [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, 
> cloudendpointsapis.com, googleapis.com]
> javax.net.ssl.SSLException: Certificate for <www.googleapis.com> doesn't 
> match any of the subject alternative names: [*.googleapis.com, 
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, 
> googleapis.com]
>      at 
> org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157)
>      at 
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108)
>      at 
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86)
>      at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462)
>      at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
>      at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
>      at 
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
>      at 
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
>      at 
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
>      at 
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
>      at 
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
>      at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
>      at 
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
>      at 
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
>      at 
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to