[jira] [Commented] (HTTPCLIENT-2247) SSLPeerUnverifiedException on matching wildcard certificate (US20 amazon)

Mon, 14 Nov 2022 02:45:40 -0800 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2247?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17633677#comment-17633677
 ] 

Oleg Kalnichevski commented on HTTPCLIENT-2247:
-----------------------------------------------

> Also wants to call out is that the issue does not exist in 4.5.3.  I 
> understand the matcher has been changed since then. But I still believe it is 
> one issue of HTTPClient. 

[~chen2] The matcher algorithm has not changed. Feel free to take a look at the 
Git history or compare the code of the two branches. 

What has changed is the public domain suffix list. Please approach Amazon for 
clarifications as to how interpret the following entry in the public domain 
suffix list
{noformat}
// Amazon EC2
// Submitted by Luke Wells <[email protected]>
// Reference: 4c38fa71-58ac-4768-99e5-689c1767e537
*.compute.amazonaws.com
*.compute-1.amazonaws.com
*.compute.amazonaws.com.cn
us-east-1.amazonaws.com
{noformat}

Oleg

> SSLPeerUnverifiedException on matching wildcard certificate (US20 amazon)
> -------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-2247
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2247
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 4.5.13
>            Reporter: fan2
>            Priority: Major
>
> In version 4.5.13, the following code piece will throw 
> SSLPeerUnverifiedException.  If the host change to 
> "ec2.us-east-1.compute-1.amazonaws.com" and DNS change to 
> "*.us-east-1.compute-1.amazonaws.com", then the exception is gone. 
>  
> {code:java}
> List<SubjectName> subjectAlts = new ArrayList<>();
> PublicSuffixMatcher publicSuffixMatcher = 
> PublicSuffixMatcherLoader.getDefault();
> // assume a certificate with multiple SANs, some of which might contain 
> wildcards
> String host = "ec2.compute-1.amazonaws.com";
> subjectAlts.add(SubjectName.DNS("*.compute-1.amazonaws.com"));
> try {     
> DefaultHostnameVerifier.matchDNSName(host, subjectAlts, publicSuffixMatcher);
> }
> catch (Exception e) {
>     System.out.println(e);
> } 
> {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to