[ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16373510#comment-16373510
 ] 

Michael Osipov edited comment on HTTPCLIENT-1906 at 2/22/18 9:45 PM:
---------------------------------------------------------------------

As far as I understand [this|https://tools.ietf.org/html/rfc2818#section-3.1], 
the hostname must be checked against {{dNSName}} from SAN. Same for IP address. 
Ignoring the OID of the SAN type looks wrong to me, especially with RFC 822 
names.


was (Author: michael-o):
As far as I understand [this|https://tools.ietf.org/html/rfc2818#section-3.1], 
the hostname must be checked against {{dnsName}} from SAN. Same for IP address. 
Ignoring the OID of the SAN type looks wrong to me, especially with RFC 822 
names.

> HttpClient rejects valid certificates with subjectAltNames
> ----------------------------------------------------------
>
>                 Key: HTTPCLIENT-1906
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1906
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 4.5.3, 5.0 Alpha2
>            Reporter: Andy Signer
>            Priority: Minor
>
> A certificate containing only an email address (declared as rfc822Name) in 
> subjectAltName gets rejected. This change was introduced with HTTPCLIENT-1802.
> HttpClient should fall back onto CN for hostname verification instead of 
> rejecting the certificate as invalid.
> Example certificate which gets rejected:
> {noformat}
> -----BEGIN CERTIFICATE-----
> MIIDpTCCAo2gAwIBAgIJANqkMEtlkelbMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNV
> BAYTAlVTMQswCQYDVQQIDAJWQTERMA8GA1UEBwwIU29tZUNpdHkxEjAQBgNVBAoM
> CU15Q29tcGFueTETMBEGA1UECwwKTXlEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmNv
> bXBhbnkuY29tMB4XDTE4MDIxNTA3MjkzMFoXDTIwMDIxNTA3MjkzMFowcDELMAkG
> A1UEBhMCVVMxCzAJBgNVBAgMAlZBMREwDwYDVQQHDAhTb21lQ2l0eTESMBAGA1UE
> CgwJTXlDb21wYW55MRMwEQYDVQQLDApNeURpdmlzaW9uMRgwFgYDVQQDDA93d3cu
> Y29tcGFueS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4v6Oq
> Ua0goRVn1cmT7MOpJhXFm3A70bTpvJIRpEjtGIz99hb34/9r5AYyf1VhKyWmBq24
> XNcOJ59XOlyjjbm2Tl811ufTOdcNbPadoVBmMt4039OSUFpVb4wAw2XPWLTCG2h1
> HNj9GuFHmwcDsg5EiIRrhDGQm2LLLAGoe5PdReoMZCeeWzNWvKTCV14pyRzwQhJL
> F1OmzLYzovbPfB8LZVhQgDbLsh034FScivf2oKDB+NEzAEagNpnrFR0MFLWGYsu1
> nWD5RiZi78HFGiibmhH7QrEPfGlo2eofuUga6naoBUROqkmMCIL8n1HZ/Ur0oGny
> vQCj1AyrfOhuVC53AgMBAAGjQjBAMAsGA1UdDwQEAwIEMDATBgNVHSUEDDAKBggr
> BgEFBQcDATAcBgNVHREEFTATgRFlbWFpbEBleGFtcGxlLmNvbTANBgkqhkiG9w0B
> AQsFAAOCAQEAZ0IsqRrsEmJ6Fa9Yo6PQtrKJrejN2TTDddVgyLQdokzWh/25JFad
> NCMYPH5KjTUyKf96hJDlDayjbKk1PMMhSZMU5OG9NOuGMH/dQttruG1ojse7KIKg
> yHDQrfq5Exxgfa7CMHRKAoTCY7JZhSLyVbTMVhmGfuUDad/RA86ZisXycp0ZmS97
> qDkAmzFL0sL0ZUWNNUh4ZUWvCUZwiuN08z70NjGqXMTDCf68p3SYxbII0xTfScgf
> aQ/A/hD7IbGGTexeoTwpEj01DNvefbQV6//neo32/R5XD0D5jn3TCgZcMThA6H3a
> VkEghVg+s7uMfL/UEebOBQWXQJ/uVoknMA==
> -----END CERTIFICATE-----{noformat}
> A unit test demonstrating the issue: 
> [https://github.com/asigner/httpcomponents-client/commit/e2e5c422ad201fc4a4df07e05ffda522ed626008]
> See 
> [http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/201802.mbox/%3cCAG5G_q+fh1p54gOO=_kln09+9rizcfxgpmfevue3iq3rp8i...@mail.gmail.com%3e]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to