[jira] [Commented] (HTTPCLIENT-1613) DefaultHostNameVerifier fails matching wildcard in subject alt name

Mon, 16 Feb 2015 11:02:10 -0800 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14323146#comment-14323146
 ] 

Oleg Kalnichevski commented on HTTPCLIENT-1613:
-----------------------------------------------

bq. I've not looked into this in any detail, but surely it is possible to use 
different subsets of the list without breaking binary compatibility?

But how exactly? Even if you are willing to maintain two different lists in 
memory there still has to be a way to tell the loader which one to load.

Oleg

> DefaultHostNameVerifier fails matching wildcard in subject alt name
> -------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1613
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.4 Final
>            Reporter: Øyvind Horneland
>              Labels: ssl
>             Fix For: 4.5 Alpha1
>
>
> Host: www.googleapis.com
> Certificate subject alt name: *.googleapis.com
> DefaultHostnameVerifier.matchDNSName throws an SSLException with message
> {quote}
> DefaultHostnameVerifier - Certificate for <www.googleapis.com> doesn't match 
> any of the subject alternative names: [*.googleapis.com, 
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, 
> googleapis.com]
> {quote}
> The default PublicSuffixMatcher is in use.
> Possible cause: 
> DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
> {noformat}
>     private static boolean matchIdentity(final String host, final String 
> identity,
>                                          final PublicSuffixMatcher 
> publicSuffixMatcher,
>                                          final boolean strict) {
>         if (publicSuffixMatcher != null && host.contains(".")) {
>             if (!matchDomainRoot(host, 
> publicSuffixMatcher.getDomainRoot(identity))) {
>                 return false; // WILL EXIT THE WILDCARD CHECK HERE
>             }
>         }
>         // RFC 2818, 3.1. Server Identity
>         // "...Names may contain the wildcard
>         // character * which is considered to match any single domain name
>         // component or component fragment..."
>         // Based on this statement presuming only singular wildcard is legal
>         final int asteriskIdx = identity.indexOf('*');
> {noformat}
> The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns 
> *.googleapis.com, but this should probably return googleapis.com (without the 
> wildcard)? If the code reaches the "RFC 2818" logic, then it validates just 
> fine.
> Note: A default PublicSuffixMatcher is in use.
> Stacktrace:
> {noformat}
> 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for 
> <www.googleapis.com> doesn't match any of the subject alternative names: 
> [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, 
> cloudendpointsapis.com, googleapis.com]
> javax.net.ssl.SSLException: Certificate for <www.googleapis.com> doesn't 
> match any of the subject alternative names: [*.googleapis.com, 
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, 
> googleapis.com]
>      at 
> org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157)
>      at 
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108)
>      at 
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86)
>      at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462)
>      at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
>      at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
>      at 
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
>      at 
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
>      at 
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
>      at 
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
>      at 
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
>      at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
>      at 
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
>      at 
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
>      at 
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to