[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16266348#comment-16266348 ] Yosep Stephen commented on HTTPCLIENT-1613: --- It still happening for me. Using latest httpclient 4.5.3, linux ubuntu server 14.04, Open JDK 1.8.0_111 Im using spring-social-google library: {code} com.github.spring-social spring-social-google 1.1.3 {code} Here are the stack traces: {code} 2017-11-27 10:38:55,885 NUC - DEBUG (org.springframework.social.security.SocialAuthenticationFilter:205) - Request is to process authentication 2017-11-27 10:38:58,379 NUC - DEBUG (org.springframework.social.google.security.GoogleAuthenticationService:103) - failed to exchange for access org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://www.googleapis.com/oauth2/v2/userinfo": Host name 'www.googleapis.com' does not match the certificate subject provided by the peer (CN=*.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US); nested exception is javax.net.ssl.SSLPeerUnverifiedException: Host name 'www.googleapis.com' does not match the certificate subject provided by the peer (CN=*.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US) at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:666) at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613) at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:287) at org.springframework.social.google.api.impl.AbstractGoogleApiOperations.getEntity(AbstractGoogleApiOperations.java:70) at org.springframework.social.google.api.oauth2.impl.OAuth2Template.getUserinfo(OAuth2Template.java:33) at org.springframework.social.google.connect.GoogleAdapter.fetchUserProfile(GoogleAdapter.java:59) at org.springframework.social.google.connect.GoogleAdapter.fetchUserProfile(GoogleAdapter.java:31) at org.springframework.social.google.connect.GoogleConnectionFactory.extractProviderUserId(GoogleConnectionFactory.java:38) at org.springframework.social.connect.support.OAuth2ConnectionFactory.createConnection(OAuth2ConnectionFactory.java:93) at org.springframework.social.security.provider.OAuth2AuthenticationService.getAuthToken(OAuth2AuthenticationService.java:100) at org.springframework.social.security.SocialAuthenticationFilter.attemptAuthService(SocialAuthenticationFilter.java:266) at org.springframework.social.security.SocialAuthenticationFilter.attemptAuthentication(SocialAuthenticationFilter.java:173) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:230) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:202) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15571898#comment-15571898 ] Oleg Kalnichevski commented on HTTPCLIENT-1613: --- Works for me. Oleg > Support for so called 'private' domains in Mozilla Public Suffix List > - > > Key: HTTPCLIENT-1613 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613 > Project: HttpComponents HttpClient > Issue Type: Improvement > Components: HttpClient (classic) >Affects Versions: 4.4 Final >Reporter: Øyvind Horneland >Assignee: Oleg Kalnichevski > Labels: ssl > Fix For: 4.5 > > > Host: www.googleapis.com > Certificate subject alt name: *.googleapis.com > DefaultHostnameVerifier.matchDNSName throws an SSLException with message > {quote} > DefaultHostnameVerifier - Certificate for doesn't match > any of the subject alternative names: [*.googleapis.com, > *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, > googleapis.com] > {quote} > The default PublicSuffixMatcher is in use. > Possible cause: > DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity: > {noformat} > private static boolean matchIdentity(final String host, final String > identity, > final PublicSuffixMatcher > publicSuffixMatcher, > final boolean strict) { > if (publicSuffixMatcher != null && host.contains(".")) { > if (!matchDomainRoot(host, > publicSuffixMatcher.getDomainRoot(identity))) { > return false; // WILL EXIT THE WILDCARD CHECK HERE > } > } > // RFC 2818, 3.1. Server Identity > // "...Names may contain the wildcard > // character * which is considered to match any single domain name > // component or component fragment..." > // Based on this statement presuming only singular wildcard is legal > final int asteriskIdx = identity.indexOf('*'); > {noformat} > The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns > *.googleapis.com, but this should probably return googleapis.com (without the > wildcard)? If the code reaches the "RFC 2818" logic, then it validates just > fine. > Note: A default PublicSuffixMatcher is in use. > Stacktrace: > {noformat} > 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for > doesn't match any of the subject alternative names: > [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, > cloudendpointsapis.com, googleapis.com] > javax.net.ssl.SSLException: Certificate for doesn't > match any of the subject alternative names: [*.googleapis.com, > *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, > googleapis.com] > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157) > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108) > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354) > at > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) > at > org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) > at > org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) > at > org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) > at > org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) > at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) > at > org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) > at > org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15571652#comment-15571652 ] Serge Sozonoff commented on HTTPCLIENT-1613: Does not work for us with 4.5.2 and Amazon S3 Further more this workaround {code:java} CloseableHttpClient client = HttpClients.custom() .setSSLHostnameVerifier(new DefaultHostnameVerifier(null)) .build(); {code} Does not work either for the simple reason {code:java} public CloseableHttpClient build() { // Create main request executor // We copy the instance fields to avoid changing them, and rename to avoid accidental use of the wrong version PublicSuffixMatcher publicSuffixMatcherCopy = this.publicSuffixMatcher; if (publicSuffixMatcherCopy == null) { publicSuffixMatcherCopy = PublicSuffixMatcherLoader.getDefault(); } {code} > Support for so called 'private' domains in Mozilla Public Suffix List > - > > Key: HTTPCLIENT-1613 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613 > Project: HttpComponents HttpClient > Issue Type: Improvement > Components: HttpClient (classic) >Affects Versions: 4.4 Final >Reporter: Øyvind Horneland >Assignee: Oleg Kalnichevski > Labels: ssl > Fix For: 4.5 > > > Host: www.googleapis.com > Certificate subject alt name: *.googleapis.com > DefaultHostnameVerifier.matchDNSName throws an SSLException with message > {quote} > DefaultHostnameVerifier - Certificate for doesn't match > any of the subject alternative names: [*.googleapis.com, > *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, > googleapis.com] > {quote} > The default PublicSuffixMatcher is in use. > Possible cause: > DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity: > {noformat} > private static boolean matchIdentity(final String host, final String > identity, > final PublicSuffixMatcher > publicSuffixMatcher, > final boolean strict) { > if (publicSuffixMatcher != null && host.contains(".")) { > if (!matchDomainRoot(host, > publicSuffixMatcher.getDomainRoot(identity))) { > return false; // WILL EXIT THE WILDCARD CHECK HERE > } > } > // RFC 2818, 3.1. Server Identity > // "...Names may contain the wildcard > // character * which is considered to match any single domain name > // component or component fragment..." > // Based on this statement presuming only singular wildcard is legal > final int asteriskIdx = identity.indexOf('*'); > {noformat} > The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns > *.googleapis.com, but this should probably return googleapis.com (without the > wildcard)? If the code reaches the "RFC 2818" logic, then it validates just > fine. > Note: A default PublicSuffixMatcher is in use. > Stacktrace: > {noformat} > 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for > doesn't match any of the subject alternative names: > [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, > cloudendpointsapis.com, googleapis.com] > javax.net.ssl.SSLException: Certificate for doesn't > match any of the subject alternative names: [*.googleapis.com, > *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, > googleapis.com] > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157) > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108) > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354) > at > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) > at > org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) > at > org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) > at > org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) > at > org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) > at org.apache.http.impl.execchain.RetryExec.execute(RetryExe
[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15024250#comment-15024250 ] Oleg Kalnichevski commented on HTTPCLIENT-1613: --- Works for me {noformat} [DEBUG] RequestAddCookies - CookieSpec selected: default [DEBUG] RequestAuthCache - Auth cache not set in the context [DEBUG] PoolingHttpClientConnectionManager - Connection request: [route: {s}->https://googleapis.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20] [DEBUG] PoolingHttpClientConnectionManager - Connection leased: [id: 0][route: {s}->https://googleapis.com:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20] [DEBUG] MainClientExec - Opening connection {s}->https://googleapis.com:443 [DEBUG] DefaultHttpClientConnectionOperator - Connecting to googleapis.com/74.125.136.99:443 [DEBUG] SSLConnectionSocketFactory - Connecting socket to googleapis.com/74.125.136.99:443 with timeout 0 [DEBUG] SSLConnectionSocketFactory - Enabled protocols: [TLSv1] [DEBUG] SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] [DEBUG] SSLConnectionSocketFactory - Starting handshake [DEBUG] SSLConnectionSocketFactory - Secure session established [DEBUG] SSLConnectionSocketFactory - negotiated protocol: TLSv1 [DEBUG] SSLConnectionSocketFactory - negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA [DEBUG] SSLConnectionSocketFactory - peer principal: CN=*.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US [DEBUG] SSLConnectionSocketFactory - peer alternative names: [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, googleapis.com] [DEBUG] SSLConnectionSocketFactory - issuer principal: CN=Google Internet Authority G2, O=Google Inc, C=US [DEBUG] DefaultHttpClientConnectionOperator - Connection established 10.0.0.22:45183<->74.125.136.99:443 [DEBUG] MainClientExec - Executing request GET / HTTP/1.1 [DEBUG] MainClientExec - Target auth state: UNCHALLENGED [DEBUG] MainClientExec - Proxy auth state: UNCHALLENGED [DEBUG] headers - http-outgoing-0 >> GET / HTTP/1.1 [DEBUG] headers - http-outgoing-0 >> Host: googleapis.com [DEBUG] headers - http-outgoing-0 >> Connection: Keep-Alive [DEBUG] headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.1 (Java/1.7.0_75) [DEBUG] headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate [DEBUG] headers - http-outgoing-0 << HTTP/1.1 404 Not Found [DEBUG] headers - http-outgoing-0 << Content-Type: text/html; charset=UTF-8 [DEBUG] headers - http-outgoing-0 << Content-Length: 1561 [DEBUG] headers - http-outgoing-0 << Date: Tue, 24 Nov 2015 10:49:53 GMT [DEBUG] headers - http-outgoing-0 << Server: GFE/2.0 [DEBUG] MainClientExec - Connection can be kept alive indefinitely [DEBUG] PoolingHttpClientConnectionManager - Connection [id: 0][route: {s}->https://googleapis.com:443] can be kept alive indefinitely [DEBUG] PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {s}->https://googleapis.com:443][total kept alive: 1; route allocated: 1 of 2; total allocated: 1 of 20] {noformat} Oleg > Support for so called 'private' domains in Mozilla Public Suffix List > - > > Key: HTTPCLIENT-1613 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613 > Project: HttpComponents HttpClient > Issue Type: Improvement > Components: HttpClient >Affects Versions: 4.4 Final >Reporter: Øyvind Horneland >Assignee: Oleg Kalnichevski > Labels: ssl > Fix For: 4.5 > > > Host: www.googleapis.com > Certificate subject alt name: *.googleapis.com > DefaultHostnameVerifier.matchDNSName throws an SSLException with message > {quote} > DefaultHostnameVerifier - Certificate for doesn't match > any of the subject alternative names: [*.googleapis.com, > *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, > googleapis.com] > {quote} > The default PublicSuffixMatcher is in use. > Possible cause: > DefaultHostnameVerifier's matchDNSName > matchIdentityStrict >
[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15022492#comment-15022492 ] Jilles van Gurp commented on HTTPCLIENT-1613: - This just started failing for us again using httpclient 4.5.1. I added a variation of the workaround outlined above, which fixed it. Registry registry = RegistryBuilder.create() .register("http", PlainConnectionSocketFactory.getSocketFactory()) .register("https", new SSLConnectionSocketFactory(SSLContexts.createDefault(), (hostname,session) -> { if(hostname.endsWith("googleapis.com")) { // workaround for https://issues.apache.org/jira/browse/HTTPCLIENT-1613 and googleapis.com // works around an issue with the google certificate that google should be fixing // skip host name verification if the host is googleapis.com return true; } else { return defaultHostnameVerifier.verify(hostname, session); } })) .build(); connectionManager = new PoolingHttpClientConnectionManager(registry); > Support for so called 'private' domains in Mozilla Public Suffix List > - > > Key: HTTPCLIENT-1613 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613 > Project: HttpComponents HttpClient > Issue Type: Improvement > Components: HttpClient >Affects Versions: 4.4 Final >Reporter: Øyvind Horneland >Assignee: Oleg Kalnichevski > Labels: ssl > Fix For: 4.5 > > > Host: www.googleapis.com > Certificate subject alt name: *.googleapis.com > DefaultHostnameVerifier.matchDNSName throws an SSLException with message > {quote} > DefaultHostnameVerifier - Certificate for doesn't match > any of the subject alternative names: [*.googleapis.com, > *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, > googleapis.com] > {quote} > The default PublicSuffixMatcher is in use. > Possible cause: > DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity: > {noformat} > private static boolean matchIdentity(final String host, final String > identity, > final PublicSuffixMatcher > publicSuffixMatcher, > final boolean strict) { > if (publicSuffixMatcher != null && host.contains(".")) { > if (!matchDomainRoot(host, > publicSuffixMatcher.getDomainRoot(identity))) { > return false; // WILL EXIT THE WILDCARD CHECK HERE > } > } > // RFC 2818, 3.1. Server Identity > // "...Names may contain the wildcard > // character * which is considered to match any single domain name > // component or component fragment..." > // Based on this statement presuming only singular wildcard is legal > final int asteriskIdx = identity.indexOf('*'); > {noformat} > The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns > *.googleapis.com, but this should probably return googleapis.com (without the > wildcard)? If the code reaches the "RFC 2818" logic, then it validates just > fine. > Note: A default PublicSuffixMatcher is in use. > Stacktrace: > {noformat} > 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for > doesn't match any of the subject alternative names: > [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, > cloudendpointsapis.com, googleapis.com] > javax.net.ssl.SSLException: Certificate for doesn't > match any of the subject alternative names: [*.googleapis.com, > *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, > googleapis.com] > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157) > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108) > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354) > at > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) > at > org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) > at > org.apache.http.impl.execchain.MainClientE
[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14552037#comment-14552037 ] Oleg Kalnichevski commented on HTTPCLIENT-1613: --- @Tar: Generally, JIRA is not the right place for such inquiries. Yes, as of 4.5 one should be able to use default settings and get private domains handled correctly (included in cookie validation but excluded in SSL hostname validation). For now one can disable PSL support without disabling SSL hostname verification entirely by doing {code:java} CloseableHttpClient client = HttpClients.custom() .setSSLHostnameVerifier(new DefaultHostnameVerifier(null)) .build(); {code} Oleg > Support for so called 'private' domains in Mozilla Public Suffix List > - > > Key: HTTPCLIENT-1613 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613 > Project: HttpComponents HttpClient > Issue Type: Improvement > Components: HttpClient >Affects Versions: 4.4 Final >Reporter: Øyvind Horneland >Assignee: Oleg Kalnichevski > Labels: ssl > Fix For: 4.5 > > > Host: www.googleapis.com > Certificate subject alt name: *.googleapis.com > DefaultHostnameVerifier.matchDNSName throws an SSLException with message > {quote} > DefaultHostnameVerifier - Certificate for doesn't match > any of the subject alternative names: [*.googleapis.com, > *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, > googleapis.com] > {quote} > The default PublicSuffixMatcher is in use. > Possible cause: > DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity: > {noformat} > private static boolean matchIdentity(final String host, final String > identity, > final PublicSuffixMatcher > publicSuffixMatcher, > final boolean strict) { > if (publicSuffixMatcher != null && host.contains(".")) { > if (!matchDomainRoot(host, > publicSuffixMatcher.getDomainRoot(identity))) { > return false; // WILL EXIT THE WILDCARD CHECK HERE > } > } > // RFC 2818, 3.1. Server Identity > // "...Names may contain the wildcard > // character * which is considered to match any single domain name > // component or component fragment..." > // Based on this statement presuming only singular wildcard is legal > final int asteriskIdx = identity.indexOf('*'); > {noformat} > The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns > *.googleapis.com, but this should probably return googleapis.com (without the > wildcard)? If the code reaches the "RFC 2818" logic, then it validates just > fine. > Note: A default PublicSuffixMatcher is in use. > Stacktrace: > {noformat} > 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for > doesn't match any of the subject alternative names: > [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, > cloudendpointsapis.com, googleapis.com] > javax.net.ssl.SSLException: Certificate for doesn't > match any of the subject alternative names: [*.googleapis.com, > *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, > googleapis.com] > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157) > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108) > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354) > at > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) > at > org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) > at > org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) > at > org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) > at > org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) > at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) > at > org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) > at > org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) > at > org.a
[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14550893#comment-14550893 ] Tar commented on HTTPCLIENT-1613: - Hello, I am new to HttpClient and I found this entry for the same issue as the original poster that I am getting. originally I was invoking my client by using this line: HttpClient client = HttpClients.createDefault() but because I was getting an error like this while sending something to AWS : javax.net.ssl.SSLPeerUnverifiedException: Host name 'instructure-uploads.s3.amazonaws.com' does not match the certificate subject provided by the peer (CN=*.s3.amazonaws.com, OU=S3-A, O=Amazon.com Inc., L=Seattle, ST=Washington, C=US) I started using this code : HttpClient client = HttpClients.custom().setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).build(); I am currently using version 4.4. So just to clarify for me, are you saying that when version 4.5 is official I should go back to using : HttpClient client = HttpClients.createDefault() as the correct code? P.S. I agree that fundamentally what google and now also AWS are doing makes no common sense but like in my case I am getting info via a webservice so I am forced to take what I get and have to use it. Thank you. Thank you for your advice. > Support for so called 'private' domains in Mozilla Public Suffix List > - > > Key: HTTPCLIENT-1613 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613 > Project: HttpComponents HttpClient > Issue Type: Improvement > Components: HttpClient >Affects Versions: 4.4 Final >Reporter: Øyvind Horneland >Assignee: Oleg Kalnichevski > Labels: ssl > Fix For: 4.5 > > > Host: www.googleapis.com > Certificate subject alt name: *.googleapis.com > DefaultHostnameVerifier.matchDNSName throws an SSLException with message > {quote} > DefaultHostnameVerifier - Certificate for doesn't match > any of the subject alternative names: [*.googleapis.com, > *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, > googleapis.com] > {quote} > The default PublicSuffixMatcher is in use. > Possible cause: > DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity: > {noformat} > private static boolean matchIdentity(final String host, final String > identity, > final PublicSuffixMatcher > publicSuffixMatcher, > final boolean strict) { > if (publicSuffixMatcher != null && host.contains(".")) { > if (!matchDomainRoot(host, > publicSuffixMatcher.getDomainRoot(identity))) { > return false; // WILL EXIT THE WILDCARD CHECK HERE > } > } > // RFC 2818, 3.1. Server Identity > // "...Names may contain the wildcard > // character * which is considered to match any single domain name > // component or component fragment..." > // Based on this statement presuming only singular wildcard is legal > final int asteriskIdx = identity.indexOf('*'); > {noformat} > The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns > *.googleapis.com, but this should probably return googleapis.com (without the > wildcard)? If the code reaches the "RFC 2818" logic, then it validates just > fine. > Note: A default PublicSuffixMatcher is in use. > Stacktrace: > {noformat} > 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for > doesn't match any of the subject alternative names: > [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, > cloudendpointsapis.com, googleapis.com] > javax.net.ssl.SSLException: Certificate for doesn't > match any of the subject alternative names: [*.googleapis.com, > *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, > googleapis.com] > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157) > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108) > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354) > at > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) > at > org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(Poo
[jira] [Commented] (HTTPCLIENT-1613) Support for so called 'private' domains in Mozilla Public Suffix List
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14342913#comment-14342913 ] Øyvind Horneland commented on HTTPCLIENT-1613: -- I can confirm that 4.5-alpha1 snapshot worked well and that host www.googleapis.com passes validation with certificate subject alt name: *.googleapis.com. Thanks! > Support for so called 'private' domains in Mozilla Public Suffix List > - > > Key: HTTPCLIENT-1613 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613 > Project: HttpComponents HttpClient > Issue Type: Improvement > Components: HttpClient >Affects Versions: 4.4 Final >Reporter: Øyvind Horneland >Assignee: Oleg Kalnichevski > Labels: ssl > Fix For: 4.5 Alpha1 > > > Host: www.googleapis.com > Certificate subject alt name: *.googleapis.com > DefaultHostnameVerifier.matchDNSName throws an SSLException with message > {quote} > DefaultHostnameVerifier - Certificate for doesn't match > any of the subject alternative names: [*.googleapis.com, > *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, > googleapis.com] > {quote} > The default PublicSuffixMatcher is in use. > Possible cause: > DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity: > {noformat} > private static boolean matchIdentity(final String host, final String > identity, > final PublicSuffixMatcher > publicSuffixMatcher, > final boolean strict) { > if (publicSuffixMatcher != null && host.contains(".")) { > if (!matchDomainRoot(host, > publicSuffixMatcher.getDomainRoot(identity))) { > return false; // WILL EXIT THE WILDCARD CHECK HERE > } > } > // RFC 2818, 3.1. Server Identity > // "...Names may contain the wildcard > // character * which is considered to match any single domain name > // component or component fragment..." > // Based on this statement presuming only singular wildcard is legal > final int asteriskIdx = identity.indexOf('*'); > {noformat} > The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns > *.googleapis.com, but this should probably return googleapis.com (without the > wildcard)? If the code reaches the "RFC 2818" logic, then it validates just > fine. > Note: A default PublicSuffixMatcher is in use. > Stacktrace: > {noformat} > 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for > doesn't match any of the subject alternative names: > [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, > cloudendpointsapis.com, googleapis.com] > javax.net.ssl.SSLException: Certificate for doesn't > match any of the subject alternative names: [*.googleapis.com, > *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, > googleapis.com] > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157) > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108) > at > org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354) > at > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) > at > org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) > at > org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) > at > org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) > at > org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) > at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) > at > org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) > at > org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache