On closer inspection, the ICANN/private distinction is actually reified in the `PublicSuffixMatcher`, but it was never wired into the `DefaultHostnameVerifier`. Except for unit tests, the `expectedType` is always `null`. As far as I can tell, for the purposes of x509 cert verification, this parameter should always have the value of `Domain.ICANN`.
On Mon, Jan 6, 2020 at 3:08 PM Ryan Schmitt <[email protected]> wrote: > I'm debugging an issue I found when using the Apache 5 client with one of > S3's integration tests: > > java.lang.AssertionError: >> Expecting a throwable with cause being an instance of: >> <software.amazon.awssdk.services.s3.model.S3Exception> >> but was an instance of: >> <software.amazon.awssdk.core.exception.SdkClientException: Certificate >> for < >> exceptionunmarshallingintegrationtest-ryansch-2655.s3.eu-central-1.amazonaws.com> >> doesn't match any of the subject alternative names: [*. >> s3.eu-central-1.amazonaws.com, *.s3-eu-central-1.amazonaws.com, >> s3-eu-central-1.amazonaws.com, s3.eu-central-1.amazonaws.com, >> s3.dualstack.eu-central-1.amazonaws.com, *. >> s3.dualstack.eu-central-1.amazonaws.com, *.s3.amazonaws.com, *. >> s3-control.eu-central-1.amazonaws.com, >> s3-control.eu-central-1.amazonaws.com, *. >> s3-control.dualstack.eu-central-1.amazonaws.com, >> s3-control.dualstack.eu-central-1.amazonaws.com, *. >> s3-accesspoint.eu-central-1.amazonaws.com, *. >> s3-accesspoint.dualstack.eu-central-1.amazonaws.com]> > > > The reason for this exception is that `s3.eu-central-1.amazonaws.com` is > one of the entries in Mozilla's Public Suffix List [1]. This entry is > located in the "PRIVATE DOMAINS" section of the list, not the "ICANN > DOMAINS" section, which I believe is the only section intended to restrict > wildcard certs (see [2] under "Standards"). If this interpretation is > correct, we should patch `PublicSuffixMatcher` to only respect ICANN > domains (i.e. everything between `===BEGIN ICANN DOMAINS===` and `===END > ICANN DOMAINS===`). I'd like to commit this change before the next client > beta release. Thoughts? > > [1] https://publicsuffix.org/list/public_suffix_list.dat > [2] https://publicsuffix.org/learn/ > >
