[
https://issues.apache.org/jira/browse/HTTPCLIENT-1997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16874061#comment-16874061
]
Michael Osipov commented on HTTPCLIENT-1997:
--------------------------------------------
This is probably the first line in the network handbook, don't design with
private domains. Even Microsoft AD handbook recommends using public ones even
if you are routing those hosts. So is here with > 100 000 clients.
> SSLPeerUnverifiedException on matching wildcard certificate
> -----------------------------------------------------------
>
> Key: HTTPCLIENT-1997
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1997
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Affects Versions: 4.5.9
> Environment: Oracle Java 11 on Mac OS 10.14.5
> as well as Open JDK 11 on Pivotal Cloud Foundry/Linux 4.15.0-50-generic x86_64
> Spring Boot 2.1.6 wich uses httpclient 4.5.9
> Reporter: Marc Layer
> Priority: Major
>
> The step from httpclient 4.5.8 to 4.5.9 seems to have changed the behaviour
> of the {{DefaultHostNameVerifier}}. I now receive an
> {{SSLPeerUnverifiedException}} when trying to connect to a server that uses a
> wildcard server certificate. This used to work in 4.5.8.
> {code:java}
> javax.net.ssl.SSLPeerUnverifiedException: Certificate for
> <service.apps.dev.b.cloud.a> doesn't match any of the subject alternative
> names: [dev.b.cloud.a, *.system.dev.b.cloud.a, *.int.dev.b.cloud.a,
> *.login.system.dev.b.cloud.a, *.uaa.system.dev.b.cloud.a,
> *.apps.dev.b.cloud.a, *.ext.dev.b.cloud.a, CertreqId-12345]
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
> at
> org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:87)
> ...
> {code}
> *Expected:* The host name verifier should accept the subject alternative name
> {{*.apps.dev.b.cloud.a}} for the server {{service.apps.dev.b.cloud.a}}.
> I suspect the issue to be related to HTTPCLIENT-1991. It changed
> {{PublicSuffixMatcher}} which is used by {{DefaultHostNameVerifier}}. In the
> debugger I found that {{DefaultHostNameVerifier}}.{{verify(String,
> SSLSession)}} fails to verify the host/x509 certificate combination in line
> 99.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
