[jira] [Commented] (HTTPCLIENT-2047) Regression in default HTTP Client construction for non-public hostnames

Wed, 22 Jan 2020 07:03:31 -0800 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17021155#comment-17021155
 ] 

Mike commented on HTTPCLIENT-2047:
----------------------------------

Just to point out the problem here, this is code which worked perfectly fine on 
a private network in Apache HTTP Client 4.5.10:

{code}
CloseableHttpClient client = 
HttpClients.custom().setSSLContext(aValidSSLContext).build();
{code}

This is the modification I had to make for this to work in HTTP Client 4.5.11:

{code}
CloseableHttpClient client = HttpClients.custom().setSSLHostnameVerifier(new 
DefaultHostnameVerifier()).setSSLContext(aValidSSLContext).build();
{code}

It seems wrong that on a minor patch release that I would have to modify code 
which has worked for years. This workaround works because the HTTP Client 
Builder will default to creating a DefaultHostnameVerifier with the default 
implementation of the PublicSuffixMatcher if you don't supply a 
HostnameVerifier.



> Regression in default HTTP Client construction for non-public hostnames
> -----------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-2047
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2047
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 4.5.11
>            Reporter: Mike
>            Priority: Major
>
> I believe that the result of:
>  
> https://github.com/apache/httpcomponents-client/commit/b184b244ad9342a384ba87f48c6b48805a3b0f1f
> and:
> https://github.com/apache/httpcomponents-client/commit/e0416f07c344929699a2bc303eb3a049c62bd979
>  
> Caused a regression which prevents non-public hostnames from validating, 
> resulting in errors like (I have redacted hostnames as possible):
> {code:java}
> Certificate for <hostname-workspace-1.ops.domain.local> doesn't match any of 
> the subject alternative names: [user-id-60662, 
> hostname-workspace-1.ops.domain.local, 127.0.0.1, 10.2.243.75]
>  {code}
> This is because the default value of {{ICANN}} is now supplied to the 
> {{PublicSuffixMatcher}}, which causes it to *only* accept publicly accessible 
> hostnames now (or so it seems).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to