[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List

Wed, 20 May 2015 02:09:26 -0700 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14552037#comment-14552037
 ] 

Oleg Kalnichevski commented on HTTPCLIENT-1613:
-----------------------------------------------

@Tar: Generally, JIRA is not the right place for such inquiries. Yes, as of 4.5 
one should be able to use default settings and get private domains handled 
correctly (included in cookie validation but excluded in SSL hostname 
validation). For now one can disable PSL support without disabling SSL hostname 
verification entirely by doing
{code:java}
CloseableHttpClient client = HttpClients.custom()
        .setSSLHostnameVerifier(new DefaultHostnameVerifier(null))
        .build();
{code}

Oleg

> Support for so called 'private' domains in Mozilla Public Suffix List
> ---------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1613
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>    Affects Versions: 4.4 Final
>            Reporter: Øyvind Horneland
>            Assignee: Oleg Kalnichevski
>              Labels: ssl
>             Fix For: 4.5
>
>
> Host: www.googleapis.com
> Certificate subject alt name: *.googleapis.com
> DefaultHostnameVerifier.matchDNSName throws an SSLException with message
> {quote}
> DefaultHostnameVerifier - Certificate for <www.googleapis.com> doesn't match 
> any of the subject alternative names: [*.googleapis.com, 
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, 
> googleapis.com]
> {quote}
> The default PublicSuffixMatcher is in use.
> Possible cause: 
> DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
> {noformat}
>     private static boolean matchIdentity(final String host, final String 
> identity,
>                                          final PublicSuffixMatcher 
> publicSuffixMatcher,
>                                          final boolean strict) {
>         if (publicSuffixMatcher != null && host.contains(".")) {
>             if (!matchDomainRoot(host, 
> publicSuffixMatcher.getDomainRoot(identity))) {
>                 return false; // WILL EXIT THE WILDCARD CHECK HERE
>             }
>         }
>         // RFC 2818, 3.1. Server Identity
>         // "...Names may contain the wildcard
>         // character * which is considered to match any single domain name
>         // component or component fragment..."
>         // Based on this statement presuming only singular wildcard is legal
>         final int asteriskIdx = identity.indexOf('*');
> {noformat}
> The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns 
> *.googleapis.com, but this should probably return googleapis.com (without the 
> wildcard)? If the code reaches the "RFC 2818" logic, then it validates just 
> fine.
> Note: A default PublicSuffixMatcher is in use.
> Stacktrace:
> {noformat}
> 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for 
> <www.googleapis.com> doesn't match any of the subject alternative names: 
> [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, 
> cloudendpointsapis.com, googleapis.com]
> javax.net.ssl.SSLException: Certificate for <www.googleapis.com> doesn't 
> match any of the subject alternative names: [*.googleapis.com, 
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, 
> googleapis.com]
>      at 
> org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157)
>      at 
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108)
>      at 
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86)
>      at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462)
>      at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
>      at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
>      at 
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
>      at 
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
>      at 
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
>      at 
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
>      at 
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
>      at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
>      at 
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
>      at 
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
>      at 
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to