[
https://issues.apache.org/jira/browse/HTTPCLIENT-2370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17952097#comment-17952097
]
Christian Habermehl commented on HTTPCLIENT-2370:
-------------------------------------------------
Here is a Test that runs successfully with version 5.4.2 and fails with version
5.4.3
{code:java}
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.net.ssl.SSLException;
import org.apache.hc.client5.http.psl.PublicSuffixMatcherLoader;
import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
class DefaultHostnameVerifierTest {
@Test
void testHostMatcherAlternativeNames() throws CertificateException,
SSLException {
List<List<?>> alternativeNames =
createtAlternativeNames("s3.eu-west-1.amazonaws.com");
X509Certificate certificate = Mockito.mock(X509Certificate.class);
Mockito.when(certificate.getSubjectAlternativeNames()).thenReturn(alternativeNames);
DefaultHostnameVerifier defaultHostnameVerifier = new
DefaultHostnameVerifier(PublicSuffixMatcherLoader.getDefault());
defaultHostnameVerifier.verify("s3.eu-west-1.amazonaws.com",
certificate);
}
private static List<List<?>> createtAlternativeNames(String... names) {
List<List<?>> alternativeNames = new ArrayList<>();
for (String name : names) {
alternativeNames.add(List.of(2, name));
}
return alternativeNames;
}
}
{code}
> Wrong SSLPeerUnverifiedException with httpclient5
> --------------------------------------------------
>
> Key: HTTPCLIENT-2370
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2370
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Affects Versions: 5.4.3
> Environment: Linux / MacOS / Java 21
> Reporter: Christian Habermehl
> Priority: Major
>
> When I try to download a file from s3.eu-west-1.amazonaws.com I get this
> exception:
> {code}
> javax.net.ssl.SSLPeerUnverifiedException: Certificate for
> <s3.eu-west-1.amazonaws.com> doesn't match any of the subject alternative
> names: [s3-eu-west-1.amazonaws.com, *.s3-eu-west-1.amazonaws.com,
> s3.eu-west-1.amazonaws.com, *.s3.eu-west-1.amazonaws.com,
> s3.dualstack.eu-west-1.amazonaws.com, *.s3.dualstack.eu-west-1.amazonaws.com,
> *.s3.amazonaws.com, *.s3-control.eu-west-1.amazonaws.com,
> s3-control.eu-west-1.amazonaws.com,
> *.s3-control.dualstack.eu-west-1.amazonaws.com,
> s3-control.dualstack.eu-west-1.amazonaws.com,
> *.s3-accesspoint.eu-west-1.amazonaws.com,
> *.s3-accesspoint.dualstack.eu-west-1.amazonaws.com,
> *.s3-deprecated.eu-west-1.amazonaws.com,
> s3-deprecated.eu-west-1.amazonaws.com, s3-external-3.amazonaws.com,
> *.s3-external-3.amazonaws.com]
> at
> org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:172)
> at
> org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:130)
> at
> org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:316)
> at
> org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:194)
> at
> org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.executeHandshake(AbstractClientTlsStrategy.java:253)
> at
> org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.upgrade(AbstractClientTlsStrategy.java:210)
> at
> org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy.upgrade(DefaultClientTlsStrategy.java:48)
> at
> org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:231)
> at
> org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:490)
> at
> org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:164)
> at
> org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:174)
> at
> org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:144)
> at
> org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
> at
> org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:192)
> at
> org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
> at
> org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:150)
> at
> org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
> at
> org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:113)
> at
> org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
> at
> org.apache.hc.client5.http.impl.classic.RedirectExec.execute(RedirectExec.java:110)
> at
> org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
> at
> org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:183)
> at
> org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245)
> at
> org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)
> at
> org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:162)
> {code}
> even though the DomainName is part of the alternative Names.
> It seems that when comparing the DomainNames the Host
> "s3.eu-west-1.amazonaws.com" is compared to ".s3.eu-west-1.amazonaws.com" and
> this fails.
> with version 5.4.2 the download works without problems.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
