[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[
https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16266348#comment-16266348
]
Yosep Stephen commented on HTTPCLIENT-1613:
---
It still happening for me. Using latest httpclient 4.5.3, linux ubuntu server
14.04, Open JDK 1.8.0_111
Im using spring-social-google library:
{code}
com.github.spring-social
spring-social-google
1.1.3
{code}
Here are the stack traces:
{code}
2017-11-27 10:38:55,885 NUC - DEBUG
(org.springframework.social.security.SocialAuthenticationFilter:205) - Request
is to process authentication
2017-11-27 10:38:58,379 NUC - DEBUG
(org.springframework.social.google.security.GoogleAuthenticationService:103) -
failed to exchange for access
org.springframework.web.client.ResourceAccessException: I/O error on GET
request for "https://www.googleapis.com/oauth2/v2/userinfo": Host name
'www.googleapis.com' does not match the certificate subject provided by the
peer (CN=*.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US);
nested exception is javax.net.ssl.SSLPeerUnverifiedException: Host name
'www.googleapis.com' does not match the certificate subject provided by the
peer (CN=*.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US)
at
org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:666)
at
org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613)
at
org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:287)
at
org.springframework.social.google.api.impl.AbstractGoogleApiOperations.getEntity(AbstractGoogleApiOperations.java:70)
at
org.springframework.social.google.api.oauth2.impl.OAuth2Template.getUserinfo(OAuth2Template.java:33)
at
org.springframework.social.google.connect.GoogleAdapter.fetchUserProfile(GoogleAdapter.java:59)
at
org.springframework.social.google.connect.GoogleAdapter.fetchUserProfile(GoogleAdapter.java:31)
at
org.springframework.social.google.connect.GoogleConnectionFactory.extractProviderUserId(GoogleConnectionFactory.java:38)
at
org.springframework.social.connect.support.OAuth2ConnectionFactory.createConnection(OAuth2ConnectionFactory.java:93)
at
org.springframework.social.security.provider.OAuth2AuthenticationService.getAuthToken(OAuth2AuthenticationService.java:100)
at
org.springframework.social.security.SocialAuthenticationFilter.attemptAuthService(SocialAuthenticationFilter.java:266)
at
org.springframework.social.security.SocialAuthenticationFilter.attemptAuthentication(SocialAuthenticationFilter.java:173)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at
net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:230)
at
net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:202)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[
https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15571898#comment-15571898
]
Oleg Kalnichevski commented on HTTPCLIENT-1613:
---
Works for me.
Oleg
> Support for so called 'private' domains in Mozilla Public Suffix List
> -
>
> Key: HTTPCLIENT-1613
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient (classic)
>Affects Versions: 4.4 Final
>Reporter: Øyvind Horneland
>Assignee: Oleg Kalnichevski
> Labels: ssl
> Fix For: 4.5
>
>
> Host: www.googleapis.com
> Certificate subject alt name: *.googleapis.com
> DefaultHostnameVerifier.matchDNSName throws an SSLException with message
> {quote}
> DefaultHostnameVerifier - Certificate for doesn't match
> any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> {quote}
> The default PublicSuffixMatcher is in use.
> Possible cause:
> DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
> {noformat}
> private static boolean matchIdentity(final String host, final String
> identity,
> final PublicSuffixMatcher
> publicSuffixMatcher,
> final boolean strict) {
> if (publicSuffixMatcher != null && host.contains(".")) {
> if (!matchDomainRoot(host,
> publicSuffixMatcher.getDomainRoot(identity))) {
> return false; // WILL EXIT THE WILDCARD CHECK HERE
> }
> }
> // RFC 2818, 3.1. Server Identity
> // "...Names may contain the wildcard
> // character * which is considered to match any single domain name
> // component or component fragment..."
> // Based on this statement presuming only singular wildcard is legal
> final int asteriskIdx = identity.indexOf('*');
> {noformat}
> The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns
> *.googleapis.com, but this should probably return googleapis.com (without the
> wildcard)? If the code reaches the "RFC 2818" logic, then it validates just
> fine.
> Note: A default PublicSuffixMatcher is in use.
> Stacktrace:
> {noformat}
> 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for
> doesn't match any of the subject alternative names:
> [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com,
> cloudendpointsapis.com, googleapis.com]
> javax.net.ssl.SSLException: Certificate for doesn't
> match any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157)
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108)
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[
https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15571652#comment-15571652
]
Serge Sozonoff commented on HTTPCLIENT-1613:
Does not work for us with 4.5.2 and Amazon S3
Further more this workaround
{code:java}
CloseableHttpClient client = HttpClients.custom()
.setSSLHostnameVerifier(new DefaultHostnameVerifier(null))
.build();
{code}
Does not work either for the simple reason
{code:java}
public CloseableHttpClient build() {
// Create main request executor
// We copy the instance fields to avoid changing them, and rename to
avoid accidental use of the wrong version
PublicSuffixMatcher publicSuffixMatcherCopy = this.publicSuffixMatcher;
if (publicSuffixMatcherCopy == null) {
publicSuffixMatcherCopy = PublicSuffixMatcherLoader.getDefault();
}
{code}
> Support for so called 'private' domains in Mozilla Public Suffix List
> -
>
> Key: HTTPCLIENT-1613
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient (classic)
>Affects Versions: 4.4 Final
>Reporter: Øyvind Horneland
>Assignee: Oleg Kalnichevski
> Labels: ssl
> Fix For: 4.5
>
>
> Host: www.googleapis.com
> Certificate subject alt name: *.googleapis.com
> DefaultHostnameVerifier.matchDNSName throws an SSLException with message
> {quote}
> DefaultHostnameVerifier - Certificate for doesn't match
> any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> {quote}
> The default PublicSuffixMatcher is in use.
> Possible cause:
> DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
> {noformat}
> private static boolean matchIdentity(final String host, final String
> identity,
> final PublicSuffixMatcher
> publicSuffixMatcher,
> final boolean strict) {
> if (publicSuffixMatcher != null && host.contains(".")) {
> if (!matchDomainRoot(host,
> publicSuffixMatcher.getDomainRoot(identity))) {
> return false; // WILL EXIT THE WILDCARD CHECK HERE
> }
> }
> // RFC 2818, 3.1. Server Identity
> // "...Names may contain the wildcard
> // character * which is considered to match any single domain name
> // component or component fragment..."
> // Based on this statement presuming only singular wildcard is legal
> final int asteriskIdx = identity.indexOf('*');
> {noformat}
> The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns
> *.googleapis.com, but this should probably return googleapis.com (without the
> wildcard)? If the code reaches the "RFC 2818" logic, then it validates just
> fine.
> Note: A default PublicSuffixMatcher is in use.
> Stacktrace:
> {noformat}
> 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for
> doesn't match any of the subject alternative names:
> [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com,
> cloudendpointsapis.com, googleapis.com]
> javax.net.ssl.SSLException: Certificate for doesn't
> match any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157)
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108)
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExe
[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[
https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15024250#comment-15024250
]
Oleg Kalnichevski commented on HTTPCLIENT-1613:
---
Works for me
{noformat}
[DEBUG] RequestAddCookies - CookieSpec selected: default
[DEBUG] RequestAuthCache - Auth cache not set in the context
[DEBUG] PoolingHttpClientConnectionManager - Connection request: [route:
{s}->https://googleapis.com:443][total kept alive: 0; route allocated: 0 of 2;
total allocated: 0 of 20]
[DEBUG] PoolingHttpClientConnectionManager - Connection leased: [id: 0][route:
{s}->https://googleapis.com:443][total kept alive: 0; route allocated: 1 of 2;
total allocated: 1 of 20]
[DEBUG] MainClientExec - Opening connection {s}->https://googleapis.com:443
[DEBUG] DefaultHttpClientConnectionOperator - Connecting to
googleapis.com/74.125.136.99:443
[DEBUG] SSLConnectionSocketFactory - Connecting socket to
googleapis.com/74.125.136.99:443 with timeout 0
[DEBUG] SSLConnectionSocketFactory - Enabled protocols: [TLSv1]
[DEBUG] SSLConnectionSocketFactory - Enabled cipher
suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
[DEBUG] SSLConnectionSocketFactory - Starting handshake
[DEBUG] SSLConnectionSocketFactory - Secure session established
[DEBUG] SSLConnectionSocketFactory - negotiated protocol: TLSv1
[DEBUG] SSLConnectionSocketFactory - negotiated cipher suite:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[DEBUG] SSLConnectionSocketFactory - peer principal: CN=*.googleapis.com,
O=Google Inc, L=Mountain View, ST=California, C=US
[DEBUG] SSLConnectionSocketFactory - peer alternative names:
[*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com,
cloudendpointsapis.com, googleapis.com]
[DEBUG] SSLConnectionSocketFactory - issuer principal: CN=Google Internet
Authority G2, O=Google Inc, C=US
[DEBUG] DefaultHttpClientConnectionOperator - Connection established
10.0.0.22:45183<->74.125.136.99:443
[DEBUG] MainClientExec - Executing request GET / HTTP/1.1
[DEBUG] MainClientExec - Target auth state: UNCHALLENGED
[DEBUG] MainClientExec - Proxy auth state: UNCHALLENGED
[DEBUG] headers - http-outgoing-0 >> GET / HTTP/1.1
[DEBUG] headers - http-outgoing-0 >> Host: googleapis.com
[DEBUG] headers - http-outgoing-0 >> Connection: Keep-Alive
[DEBUG] headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.1
(Java/1.7.0_75)
[DEBUG] headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate
[DEBUG] headers - http-outgoing-0 << HTTP/1.1 404 Not Found
[DEBUG] headers - http-outgoing-0 << Content-Type: text/html; charset=UTF-8
[DEBUG] headers - http-outgoing-0 << Content-Length: 1561
[DEBUG] headers - http-outgoing-0 << Date: Tue, 24 Nov 2015 10:49:53 GMT
[DEBUG] headers - http-outgoing-0 << Server: GFE/2.0
[DEBUG] MainClientExec - Connection can be kept alive indefinitely
[DEBUG] PoolingHttpClientConnectionManager - Connection [id: 0][route:
{s}->https://googleapis.com:443] can be kept alive indefinitely
[DEBUG] PoolingHttpClientConnectionManager - Connection released: [id:
0][route: {s}->https://googleapis.com:443][total kept alive: 1; route
allocated: 1 of 2; total allocated: 1 of 20]
{noformat}
Oleg
> Support for so called 'private' domains in Mozilla Public Suffix List
> -
>
> Key: HTTPCLIENT-1613
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
>Affects Versions: 4.4 Final
>Reporter: Øyvind Horneland
>Assignee: Oleg Kalnichevski
> Labels: ssl
> Fix For: 4.5
>
>
> Host: www.googleapis.com
> Certificate subject alt name: *.googleapis.com
> DefaultHostnameVerifier.matchDNSName throws an SSLException with message
> {quote}
> DefaultHostnameVerifier - Certificate for doesn't match
> any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> {quote}
> The default PublicSuffixMatcher is in use.
> Possible cause:
> DefaultHostnameVerifier's matchDNSName > matchIdentityStrict >
[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[
https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15022492#comment-15022492
]
Jilles van Gurp commented on HTTPCLIENT-1613:
-
This just started failing for us again using httpclient 4.5.1. I added a
variation of the workaround outlined above, which fixed it.
Registry registry =
RegistryBuilder.create()
.register("http", PlainConnectionSocketFactory.getSocketFactory())
.register("https", new
SSLConnectionSocketFactory(SSLContexts.createDefault(), (hostname,session) -> {
if(hostname.endsWith("googleapis.com")) {
// workaround for
https://issues.apache.org/jira/browse/HTTPCLIENT-1613 and googleapis.com
// works around an issue with the google certificate that
google should be fixing
// skip host name verification if the host is googleapis.com
return true;
} else {
return defaultHostnameVerifier.verify(hostname, session);
}
}))
.build();
connectionManager = new PoolingHttpClientConnectionManager(registry);
> Support for so called 'private' domains in Mozilla Public Suffix List
> -
>
> Key: HTTPCLIENT-1613
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
>Affects Versions: 4.4 Final
>Reporter: Øyvind Horneland
>Assignee: Oleg Kalnichevski
> Labels: ssl
> Fix For: 4.5
>
>
> Host: www.googleapis.com
> Certificate subject alt name: *.googleapis.com
> DefaultHostnameVerifier.matchDNSName throws an SSLException with message
> {quote}
> DefaultHostnameVerifier - Certificate for doesn't match
> any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> {quote}
> The default PublicSuffixMatcher is in use.
> Possible cause:
> DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
> {noformat}
> private static boolean matchIdentity(final String host, final String
> identity,
> final PublicSuffixMatcher
> publicSuffixMatcher,
> final boolean strict) {
> if (publicSuffixMatcher != null && host.contains(".")) {
> if (!matchDomainRoot(host,
> publicSuffixMatcher.getDomainRoot(identity))) {
> return false; // WILL EXIT THE WILDCARD CHECK HERE
> }
> }
> // RFC 2818, 3.1. Server Identity
> // "...Names may contain the wildcard
> // character * which is considered to match any single domain name
> // component or component fragment..."
> // Based on this statement presuming only singular wildcard is legal
> final int asteriskIdx = identity.indexOf('*');
> {noformat}
> The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns
> *.googleapis.com, but this should probably return googleapis.com (without the
> wildcard)? If the code reaches the "RFC 2818" logic, then it validates just
> fine.
> Note: A default PublicSuffixMatcher is in use.
> Stacktrace:
> {noformat}
> 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for
> doesn't match any of the subject alternative names:
> [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com,
> cloudendpointsapis.com, googleapis.com]
> javax.net.ssl.SSLException: Certificate for doesn't
> match any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157)
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108)
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> at
> org.apache.http.impl.execchain.MainClientE
[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[
https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14552037#comment-14552037
]
Oleg Kalnichevski commented on HTTPCLIENT-1613:
---
@Tar: Generally, JIRA is not the right place for such inquiries. Yes, as of 4.5
one should be able to use default settings and get private domains handled
correctly (included in cookie validation but excluded in SSL hostname
validation). For now one can disable PSL support without disabling SSL hostname
verification entirely by doing
{code:java}
CloseableHttpClient client = HttpClients.custom()
.setSSLHostnameVerifier(new DefaultHostnameVerifier(null))
.build();
{code}
Oleg
> Support for so called 'private' domains in Mozilla Public Suffix List
> -
>
> Key: HTTPCLIENT-1613
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
>Affects Versions: 4.4 Final
>Reporter: Øyvind Horneland
>Assignee: Oleg Kalnichevski
> Labels: ssl
> Fix For: 4.5
>
>
> Host: www.googleapis.com
> Certificate subject alt name: *.googleapis.com
> DefaultHostnameVerifier.matchDNSName throws an SSLException with message
> {quote}
> DefaultHostnameVerifier - Certificate for doesn't match
> any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> {quote}
> The default PublicSuffixMatcher is in use.
> Possible cause:
> DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
> {noformat}
> private static boolean matchIdentity(final String host, final String
> identity,
> final PublicSuffixMatcher
> publicSuffixMatcher,
> final boolean strict) {
> if (publicSuffixMatcher != null && host.contains(".")) {
> if (!matchDomainRoot(host,
> publicSuffixMatcher.getDomainRoot(identity))) {
> return false; // WILL EXIT THE WILDCARD CHECK HERE
> }
> }
> // RFC 2818, 3.1. Server Identity
> // "...Names may contain the wildcard
> // character * which is considered to match any single domain name
> // component or component fragment..."
> // Based on this statement presuming only singular wildcard is legal
> final int asteriskIdx = identity.indexOf('*');
> {noformat}
> The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns
> *.googleapis.com, but this should probably return googleapis.com (without the
> wildcard)? If the code reaches the "RFC 2818" logic, then it validates just
> fine.
> Note: A default PublicSuffixMatcher is in use.
> Stacktrace:
> {noformat}
> 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for
> doesn't match any of the subject alternative names:
> [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com,
> cloudendpointsapis.com, googleapis.com]
> javax.net.ssl.SSLException: Certificate for doesn't
> match any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157)
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108)
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
> at
> org.a
[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[
https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14550893#comment-14550893
]
Tar commented on HTTPCLIENT-1613:
-
Hello, I am new to HttpClient and I found this entry for the same issue as the
original poster that I am getting.
originally I was invoking my client by using this line:
HttpClient client = HttpClients.createDefault()
but because I was getting an error like this while sending something to AWS :
javax.net.ssl.SSLPeerUnverifiedException: Host name
'instructure-uploads.s3.amazonaws.com' does not match the certificate subject
provided by the peer (CN=*.s3.amazonaws.com, OU=S3-A, O=Amazon.com Inc.,
L=Seattle, ST=Washington, C=US)
I started using this code :
HttpClient client =
HttpClients.custom().setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).build();
I am currently using version 4.4. So just to clarify for me, are you saying
that when version 4.5 is official I should go back to using :
HttpClient client = HttpClients.createDefault()
as the correct code?
P.S. I agree that fundamentally what google and now also AWS are doing makes no
common sense but like in my case I am getting info via a webservice so I am
forced to take what I get and have to use it.
Thank you.
Thank you for your advice.
> Support for so called 'private' domains in Mozilla Public Suffix List
> -
>
> Key: HTTPCLIENT-1613
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
>Affects Versions: 4.4 Final
>Reporter: Øyvind Horneland
>Assignee: Oleg Kalnichevski
> Labels: ssl
> Fix For: 4.5
>
>
> Host: www.googleapis.com
> Certificate subject alt name: *.googleapis.com
> DefaultHostnameVerifier.matchDNSName throws an SSLException with message
> {quote}
> DefaultHostnameVerifier - Certificate for doesn't match
> any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> {quote}
> The default PublicSuffixMatcher is in use.
> Possible cause:
> DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
> {noformat}
> private static boolean matchIdentity(final String host, final String
> identity,
> final PublicSuffixMatcher
> publicSuffixMatcher,
> final boolean strict) {
> if (publicSuffixMatcher != null && host.contains(".")) {
> if (!matchDomainRoot(host,
> publicSuffixMatcher.getDomainRoot(identity))) {
> return false; // WILL EXIT THE WILDCARD CHECK HERE
> }
> }
> // RFC 2818, 3.1. Server Identity
> // "...Names may contain the wildcard
> // character * which is considered to match any single domain name
> // component or component fragment..."
> // Based on this statement presuming only singular wildcard is legal
> final int asteriskIdx = identity.indexOf('*');
> {noformat}
> The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns
> *.googleapis.com, but this should probably return googleapis.com (without the
> wildcard)? If the code reaches the "RFC 2818" logic, then it validates just
> fine.
> Note: A default PublicSuffixMatcher is in use.
> Stacktrace:
> {noformat}
> 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for
> doesn't match any of the subject alternative names:
> [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com,
> cloudendpointsapis.com, googleapis.com]
> javax.net.ssl.SSLException: Certificate for doesn't
> match any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157)
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108)
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(Poo
[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[
https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14342913#comment-14342913
]
Øyvind Horneland commented on HTTPCLIENT-1613:
--
I can confirm that 4.5-alpha1 snapshot worked well and that host
www.googleapis.com passes validation with certificate subject alt name:
*.googleapis.com.
Thanks!
> Support for so called 'private' domains in Mozilla Public Suffix List
> -
>
> Key: HTTPCLIENT-1613
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
>Affects Versions: 4.4 Final
>Reporter: Øyvind Horneland
>Assignee: Oleg Kalnichevski
> Labels: ssl
> Fix For: 4.5 Alpha1
>
>
> Host: www.googleapis.com
> Certificate subject alt name: *.googleapis.com
> DefaultHostnameVerifier.matchDNSName throws an SSLException with message
> {quote}
> DefaultHostnameVerifier - Certificate for doesn't match
> any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> {quote}
> The default PublicSuffixMatcher is in use.
> Possible cause:
> DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
> {noformat}
> private static boolean matchIdentity(final String host, final String
> identity,
> final PublicSuffixMatcher
> publicSuffixMatcher,
> final boolean strict) {
> if (publicSuffixMatcher != null && host.contains(".")) {
> if (!matchDomainRoot(host,
> publicSuffixMatcher.getDomainRoot(identity))) {
> return false; // WILL EXIT THE WILDCARD CHECK HERE
> }
> }
> // RFC 2818, 3.1. Server Identity
> // "...Names may contain the wildcard
> // character * which is considered to match any single domain name
> // component or component fragment..."
> // Based on this statement presuming only singular wildcard is legal
> final int asteriskIdx = identity.indexOf('*');
> {noformat}
> The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns
> *.googleapis.com, but this should probably return googleapis.com (without the
> wildcard)? If the code reaches the "RFC 2818" logic, then it validates just
> fine.
> Note: A default PublicSuffixMatcher is in use.
> Stacktrace:
> {noformat}
> 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for
> doesn't match any of the subject alternative names:
> [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com,
> cloudendpointsapis.com, googleapis.com]
> javax.net.ssl.SSLException: Certificate for doesn't
> match any of the subject alternative names: [*.googleapis.com,
> *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com,
> googleapis.com]
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157)
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108)
> at
> org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache
