[
https://issues.apache.org/jira/browse/HTTPCLIENT-1997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16873245#comment-16873245
]
Marc Layer commented on HTTPCLIENT-1997:
----------------------------------------
[~olegk] You are right, it's an internal domain in my company's network. I did
not realize that {{PublicSuffixMatcher}} is just meant to match public TLDs. It
may not be the culprit then, after all. It was just the only change from the
release notes that struck me.
Still, I would expect it to accept my {{service.apps.dev.b.cloud.a}} as a match
of {{*.apps.dev.b.cloud.a}}. The certificate's CA (a company-internal CA) has
been added to the trust managers of the {{SSLContext}}. Or is
{{DefaultHostNameVerifier}} now meant to only accept public TLDs?
> SSLPeerUnverifiedException on matching wildcard certificate
> -----------------------------------------------------------
>
> Key: HTTPCLIENT-1997
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1997
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Affects Versions: 4.5.9
> Environment: Oracle Java 11 on Mac OS 10.14.5
> as well as Open JDK 11 on Pivotal Cloud Foundry/Linux 4.15.0-50-generic x86_64
> Spring Boot 2.1.6 wich uses httpclient 4.5.9
> Reporter: Marc Layer
> Priority: Major
>
> The step from httpclient 4.5.8 to 4.5.9 seems to have changed the behaviour
> of the {{DefaultHostNameVerifier}}. I now receive an
> {{SSLPeerUnverifiedException}} when trying to connect to a server that uses a
> wildcard server certificate. This used to work in 4.5.8.
> {code:java}
> javax.net.ssl.SSLPeerUnverifiedException: Certificate for
> <service.apps.dev.b.cloud.a> doesn't match any of the subject alternative
> names: [dev.b.cloud.a, *.system.dev.b.cloud.a, *.int.dev.b.cloud.a,
> *.login.system.dev.b.cloud.a, *.uaa.system.dev.b.cloud.a,
> *.apps.dev.b.cloud.a, *.ext.dev.b.cloud.a, CertreqId-12345]
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
> at
> org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:87)
> ...
> {code}
> *Expected:* The host name verifier should accept the subject alternative name
> {{*.apps.dev.b.cloud.a}} for the server {{service.apps.dev.b.cloud.a}}.
> I suspect the issue to be related to HTTPCLIENT-1991. It changed
> {{PublicSuffixMatcher}} which is used by {{DefaultHostNameVerifier}}. In the
> debugger I found that {{DefaultHostNameVerifier}}.{{verify(String,
> SSLSession)}} fails to verify the host/x509 certificate combination in line
> 99.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
