[jira] [Commented] (HTTPCLIENT-1906) HttpClient rejects valid certificates with subjectAltNames

Tue, 27 Feb 2018 04:23:11 -0800 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16378488#comment-16378488
 ] 

Andy Signer commented on HTTPCLIENT-1906:
-----------------------------------------

Thanks for the fast fix - it looks good to me. I just noticed that the test 
certificate will run out February 14, 2020 and break the test in two years.

We could use the following certificate which runs out next century (January 20, 
2155) - hat should be enough.
{noformat}
-----BEGIN CERTIFICATE-----
MIIDpzCCAo+gAwIBAgIJANFuYUZGM2HHMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJWQTERMA8GA1UEBwwIU29tZUNpdHkxEjAQBgNVBAoM
CU15Q29tcGFueTETMBEGA1UECwwKTXlEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmNv
bXBhbnkuY29tMCAXDTE4MDIyNzEyMTUwMVoYDzIxNTUwMTIwMTIxNTAxWjBwMQsw
CQYDVQQGEwJVUzELMAkGA1UECAwCVkExETAPBgNVBAcMCFNvbWVDaXR5MRIwEAYD
VQQKDAlNeUNvbXBhbnkxEzARBgNVBAsMCk15RGl2aXNpb24xGDAWBgNVBAMMD3d3
dy5jb21wYW55LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/X
vKKnLZHe8E5D8NpN9U3LyQdCl7FAnjzMBhwR2QR2h4hBX3NdXkstGIT1EHmyBj5a
eZkqL1Sp9e+/BPVF+xT/ZxzSR+IXcOyj0Cf+zI89SKl1AuxVjCy5fGaRMkktNrvV
MNlkyEesQ9US2jMzGM+Isl4n+lxB13Oow9f9Mwt+Sfr4rSHYm6fsr5QQ0wIw7pRY
bw7Ca2Pp9vY7azPFB82lpvKCObL7L95UtMa1qaKlh7j8xQ+dqDMEw5eCSJur2FNt
aU9pxLUKjcf3imKJ451PHxhk3HIfKU+GXvFoMU9Pqo5y78hw69JGZrPTCJwXu3hg
hPI1qhtr8fnMReHhGt0CAwEAAaNCMEAwCwYDVR0PBAQDAgQwMBMGA1UdJQQMMAoG
CCsGAQUFBwMBMBwGA1UdEQQVMBOBEWVtYWlsQGV4YW1wbGUuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQB/TP3v3H6xdCB7g8pC1Gljd9B6gXsFT6SeOCKwU78+7tGm7vTD
WNlNP1tmSB+RXUZnR4I0c6Y2k0rAOCL1ZjPAUrBh7liApk6xo1UuQXb09aPNsyzv
tr61ACrsqq4vCiiUPzZtXtYqFSVoXnrmuPIqm2Rm7/4l0PB2odG2fAuymFtxu65J
nmZvaq6G+82WhrwOfTsFuEFYE+DulvUtXBiWDPczgZ73jGmhGJD2IVMwbcm6xSgY
dACrdycW6uo4QilrJMC+tQyKqoEXOHahzMSL1ERq1k8sZD+Jo2Q5PCw80CCRoeiv
xZqRH27H8sMWdi89sqsPOB3Re29bQTlr+Jh8
-----END CERTIFICATE-----{noformat}

> HttpClient rejects valid certificates with subjectAltNames
> ----------------------------------------------------------
>
>                 Key: HTTPCLIENT-1906
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1906
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 4.5.3, 5.0 Alpha2
>            Reporter: Andy Signer
>            Priority: Minor
>             Fix For: 4.5.6, 4.6 Alpha1, 5.0 Beta2
>
>
> A certificate containing only an email address (declared as rfc822Name) in 
> subjectAltName gets rejected. This change was introduced with HTTPCLIENT-1802.
> HttpClient should fall back onto CN for hostname verification instead of 
> rejecting the certificate as invalid.
> Example certificate which gets rejected:
> {noformat}
> -----BEGIN CERTIFICATE-----
> MIIDpTCCAo2gAwIBAgIJANqkMEtlkelbMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNV
> BAYTAlVTMQswCQYDVQQIDAJWQTERMA8GA1UEBwwIU29tZUNpdHkxEjAQBgNVBAoM
> CU15Q29tcGFueTETMBEGA1UECwwKTXlEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmNv
> bXBhbnkuY29tMB4XDTE4MDIxNTA3MjkzMFoXDTIwMDIxNTA3MjkzMFowcDELMAkG
> A1UEBhMCVVMxCzAJBgNVBAgMAlZBMREwDwYDVQQHDAhTb21lQ2l0eTESMBAGA1UE
> CgwJTXlDb21wYW55MRMwEQYDVQQLDApNeURpdmlzaW9uMRgwFgYDVQQDDA93d3cu
> Y29tcGFueS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4v6Oq
> Ua0goRVn1cmT7MOpJhXFm3A70bTpvJIRpEjtGIz99hb34/9r5AYyf1VhKyWmBq24
> XNcOJ59XOlyjjbm2Tl811ufTOdcNbPadoVBmMt4039OSUFpVb4wAw2XPWLTCG2h1
> HNj9GuFHmwcDsg5EiIRrhDGQm2LLLAGoe5PdReoMZCeeWzNWvKTCV14pyRzwQhJL
> F1OmzLYzovbPfB8LZVhQgDbLsh034FScivf2oKDB+NEzAEagNpnrFR0MFLWGYsu1
> nWD5RiZi78HFGiibmhH7QrEPfGlo2eofuUga6naoBUROqkmMCIL8n1HZ/Ur0oGny
> vQCj1AyrfOhuVC53AgMBAAGjQjBAMAsGA1UdDwQEAwIEMDATBgNVHSUEDDAKBggr
> BgEFBQcDATAcBgNVHREEFTATgRFlbWFpbEBleGFtcGxlLmNvbTANBgkqhkiG9w0B
> AQsFAAOCAQEAZ0IsqRrsEmJ6Fa9Yo6PQtrKJrejN2TTDddVgyLQdokzWh/25JFad
> NCMYPH5KjTUyKf96hJDlDayjbKk1PMMhSZMU5OG9NOuGMH/dQttruG1ojse7KIKg
> yHDQrfq5Exxgfa7CMHRKAoTCY7JZhSLyVbTMVhmGfuUDad/RA86ZisXycp0ZmS97
> qDkAmzFL0sL0ZUWNNUh4ZUWvCUZwiuN08z70NjGqXMTDCf68p3SYxbII0xTfScgf
> aQ/A/hD7IbGGTexeoTwpEj01DNvefbQV6//neo32/R5XD0D5jn3TCgZcMThA6H3a
> VkEghVg+s7uMfL/UEebOBQWXQJ/uVoknMA==
> -----END CERTIFICATE-----{noformat}
> A unit test demonstrating the issue: 
> [https://github.com/asigner/httpcomponents-client/commit/e2e5c422ad201fc4a4df07e05ffda522ed626008]
> See 
> [http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/201802.mbox/%3cCAG5G_q+fh1p54gOO=_kln09+9rizcfxgpmfevue3iq3rp8i...@mail.gmail.com%3e]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to