[
https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15024250#comment-15024250
]
Oleg Kalnichevski commented on HTTPCLIENT-1613:
-----------------------------------------------
Works for me
{noformat}
[DEBUG] RequestAddCookies - CookieSpec selected: default
[DEBUG] RequestAuthCache - Auth cache not set in the context
[DEBUG] PoolingHttpClientConnectionManager - Connection request: [route:
{s}->https://googleapis.com:443][total kept alive: 0; route allocated: 0 of 2;
total allocated: 0 of 20]
[DEBUG] PoolingHttpClientConnectionManager - Connection leased: [id: 0][route:
{s}->https://googleapis.com:443][total kept alive: 0; route allocated: 1 of 2;
total allocated: 1 of 20]
[DEBUG] MainClientExec - Opening connection {s}->https://googleapis.com:443
[DEBUG] DefaultHttpClientConnectionOperator - Connecting to
googleapis.com/74.125.136.99:443
[DEBUG] SSLConnectionSocketFactory - Connecting socket to
googleapis.com/74.125.136.99:443 with timeout 0
[DEBUG] SSLConnectionSocketFactory - Enabled protocols: [TLSv1]
[DEBUG] SSLConnectionSocketFactory - Enabled cipher
suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
[DEBUG] SSLConnectionSocketFactory - Starting handshake
[DEBUG] SSLConnectionSocketFactory - Secure session established
[DEBUG] SSLConnectionSocketFactory - negotiated protocol: TLSv1
[DEBUG] SSLConnectionSocketFactory - negotiated cipher suite:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[DEBUG] SSLConnectionSocketFactory - peer principal: CN=*.googleapis.com,
O=Google Inc, L=Mountain View, ST=California, C=US
[DEBUG] SSLConnectionSocketFactory - peer alternative names:
[*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com,
cloudendpointsapis.com, googleapis.com]
[DEBUG] SSLConnectionSocketFactory - issuer principal: CN=Google Internet
Authority G2, O=Google Inc, C=US
[DEBUG] DefaultHttpClientConnectionOperator - Connection established
10.0.0.22:45183<->74.125.136.99:443
[DEBUG] MainClientExec - Executing request GET / HTTP/1.1
[DEBUG] MainClientExec - Target auth state: UNCHALLENGED
[DEBUG] MainClientExec - Proxy auth state: UNCHALLENGED
[DEBUG] headers - http-outgoing-0 >> GET / HTTP/1.1
[DEBUG] headers - http-outgoing-0 >> Host: googleapis.com
[DEBUG] headers - http-outgoing-0 >> Connection: Keep-Alive
[DEBUG] headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.1
(Java/1.7.0_75)
[DEBUG] headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate
[DEBUG] headers - http-outgoing-0 << HTTP/1.1 404 Not Found
[DEBUG] headers - http-outgoing-0 << Content-Type: text/html; charset=UTF-8
[DEBUG] headers - http-outgoing-0 << Content-Length: 1561
[DEBUG] headers - http-outgoing-0 << Date: Tue, 24 Nov 2015 10:49:53 GMT
[DEBUG] headers - http-outgoing-0 << Server: GFE/2.0
[DEBUG] MainClientExec - Connection can be kept alive indefinitely
[DEBUG] PoolingHttpClientConnectionManager - Connection [id: 0][route:
{s}->https://googleapis.com:443] can be kept alive indefinitely
[DEBUG] PoolingHttpClientConnectionManager - Connection released: [id:
0][route: {s}->https://googleapis.com:443][total kept alive: 1; route
allocated: 1 of 2; total allocated: 1 of 20]
{noformat}
Oleg
> Support for so called 'private' domains in Mozilla Public Suffix List
> ---------------------------------------------------------------------
>
> Key: HTTPCLIENT-1613
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.4 Final
> Reporter: Øyvind Horneland
> Assignee: Oleg Kalnichevski
> Labels: ssl
> Fix For: 4.5
>
>
> Host: www.googleapis.com
> Certificate subject alt name: *.googleapis.com
> DefaultHostnameVerifier.matchDNSName throws an SSLException with message
> {quote}
> DefaultHostnameVerifier - Certificate for <www.googleapis.com> doesn't match
> any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> {quote}
> The default PublicSuffixMatcher is in use.
> Possible cause:
> DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
> {noformat}
> private static boolean matchIdentity(final String host, final String
> identity,
> final PublicSuffixMatcher
> publicSuffixMatcher,
> final boolean strict) {
> if (publicSuffixMatcher != null && host.contains(".")) {
> if (!matchDomainRoot(host,
> publicSuffixMatcher.getDomainRoot(identity))) {
> return false; // WILL EXIT THE WILDCARD CHECK HERE
> }
> }
> // RFC 2818, 3.1. Server Identity
> // "...Names may contain the wildcard
> // character * which is considered to match any single domain name
> // component or component fragment..."
> // Based on this statement presuming only singular wildcard is legal
> final int asteriskIdx = identity.indexOf('*');
> {noformat}
> The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns
> *.googleapis.com, but this should probably return googleapis.com (without the
> wildcard)? If the code reaches the "RFC 2818" logic, then it validates just
> fine.
> Note: A default PublicSuffixMatcher is in use.
> Stacktrace:
> {noformat}
> 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for
> <www.googleapis.com> doesn't match any of the subject alternative names:
> [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com,
> cloudendpointsapis.com, googleapis.com]
> javax.net.ssl.SSLException: Certificate for <www.googleapis.com> doesn't
> match any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157)
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108)
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
