[ https://issues.apache.org/jira/browse/HTTPCLIENT-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16376915#comment-16376915 ]
ASF subversion and git services commented on HTTPCLIENT-1906: ------------------------------------------------------------- Commit b1e09f37ae6e11bbca12b2296f29e603c1a9d22b in httpcomponents-client's branch refs/heads/4.5.x from [~olegk] [ https://git-wip-us.apache.org/repos/asf?p=httpcomponents-client.git;h=b1e09f3 ] HTTPCLIENT-1906: certificates containing alternative subject names other than DNS and IP (such as RFC822) get rejected as invalid > HttpClient rejects valid certificates with subjectAltNames > ---------------------------------------------------------- > > Key: HTTPCLIENT-1906 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1906 > Project: HttpComponents HttpClient > Issue Type: Bug > Components: HttpClient (classic) > Affects Versions: 4.5.3, 5.0 Alpha2 > Reporter: Andy Signer > Priority: Minor > > A certificate containing only an email address (declared as rfc822Name) in > subjectAltName gets rejected. This change was introduced with HTTPCLIENT-1802. > HttpClient should fall back onto CN for hostname verification instead of > rejecting the certificate as invalid. > Example certificate which gets rejected: > {noformat} > -----BEGIN CERTIFICATE----- > MIIDpTCCAo2gAwIBAgIJANqkMEtlkelbMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNV > BAYTAlVTMQswCQYDVQQIDAJWQTERMA8GA1UEBwwIU29tZUNpdHkxEjAQBgNVBAoM > CU15Q29tcGFueTETMBEGA1UECwwKTXlEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmNv > bXBhbnkuY29tMB4XDTE4MDIxNTA3MjkzMFoXDTIwMDIxNTA3MjkzMFowcDELMAkG > A1UEBhMCVVMxCzAJBgNVBAgMAlZBMREwDwYDVQQHDAhTb21lQ2l0eTESMBAGA1UE > CgwJTXlDb21wYW55MRMwEQYDVQQLDApNeURpdmlzaW9uMRgwFgYDVQQDDA93d3cu > Y29tcGFueS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4v6Oq > Ua0goRVn1cmT7MOpJhXFm3A70bTpvJIRpEjtGIz99hb34/9r5AYyf1VhKyWmBq24 > XNcOJ59XOlyjjbm2Tl811ufTOdcNbPadoVBmMt4039OSUFpVb4wAw2XPWLTCG2h1 > HNj9GuFHmwcDsg5EiIRrhDGQm2LLLAGoe5PdReoMZCeeWzNWvKTCV14pyRzwQhJL > F1OmzLYzovbPfB8LZVhQgDbLsh034FScivf2oKDB+NEzAEagNpnrFR0MFLWGYsu1 > nWD5RiZi78HFGiibmhH7QrEPfGlo2eofuUga6naoBUROqkmMCIL8n1HZ/Ur0oGny > vQCj1AyrfOhuVC53AgMBAAGjQjBAMAsGA1UdDwQEAwIEMDATBgNVHSUEDDAKBggr > BgEFBQcDATAcBgNVHREEFTATgRFlbWFpbEBleGFtcGxlLmNvbTANBgkqhkiG9w0B > AQsFAAOCAQEAZ0IsqRrsEmJ6Fa9Yo6PQtrKJrejN2TTDddVgyLQdokzWh/25JFad > NCMYPH5KjTUyKf96hJDlDayjbKk1PMMhSZMU5OG9NOuGMH/dQttruG1ojse7KIKg > yHDQrfq5Exxgfa7CMHRKAoTCY7JZhSLyVbTMVhmGfuUDad/RA86ZisXycp0ZmS97 > qDkAmzFL0sL0ZUWNNUh4ZUWvCUZwiuN08z70NjGqXMTDCf68p3SYxbII0xTfScgf > aQ/A/hD7IbGGTexeoTwpEj01DNvefbQV6//neo32/R5XD0D5jn3TCgZcMThA6H3a > VkEghVg+s7uMfL/UEebOBQWXQJ/uVoknMA== > -----END CERTIFICATE-----{noformat} > A unit test demonstrating the issue: > [https://github.com/asigner/httpcomponents-client/commit/e2e5c422ad201fc4a4df07e05ffda522ed626008] > See > [http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/201802.mbox/%3cCAG5G_q+fh1p54gOO=_kln09+9rizcfxgpmfevue3iq3rp8i...@mail.gmail.com%3e] -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org