On Tue, 2018-02-20 at 22:51 +0100, Andy Signer wrote: > Hi everyone, > > Last week I ran into certificate verification error with > httpcomponents-client 4.5.3. A certificate was rejected with the > following message: > > javax.net.ssl.SSLPeerUnverifiedException: Certificate for > <www.company.com> doesn't match any of the subject alternative names: > [em...@example.com] > > After some investigation I found that the certificate was rejected > because the commonName is ignored when there is a subjectAltName > entry > present (see [HTTPCLIENT-1802]). The certificate is a bit special > because there is just one email address in the subjectAltName, > nothing > else. >
HttpClient (both 4.x and 5.x) has been revised for compliance with RFC 2818 only. RFC 2818 is pretty clear about host name verification based on certificate Common Name attribute being deprecated. RFC 2818 --- 3.1. Server Identity ... If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. --- What I would like to see is whether or not the subjectAltName attribute in the certificate has been declared as email address. If the attribute type declares the entry as DNS or IP, then the certificate is clearly invalid. Oleg > I read parts of [rfc5280] and [rfc6125] and tried to figure out (I > failed) if the presented certificate is invalid and should be > rejected > (as happens) or if the email address in the subjectAltName is just > additional information which can be ignored by the > DefaultHostnameVerifier and the verification should fallback to the > commonName. > > What do you think? Should I just ask the owner of the certificate to > change it or is there something which could be improved in the > default > hostname verification? > > Best regards > Andy Signer > > PS: A unit test to demonstrate the rejected certificate > https://github.com/asigner/httpcomponents-client/pull/1 > > References > [rfc5280] https://tools.ietf.org/html/rfc5280#section-4.2.1.6 > [rfc6125] https://tools.ietf.org/html/rfc6125#section-6.4.4 > [HTTPCLIENT-1802] https://issues.apache.org/jira/browse/HTTPCLIENT-18 > 02 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > For additional commands, e-mail: httpclient-users-h...@hc.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
