You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Oleg Kalnichevski (Resolved) (JIRA)" <ji...@apache.org> on 2011/10/23 13:48:32 UTC
[jira] [Resolved] (HTTPCLIENT-1138) SSLSocketFactory incorrectly
uses InetSocketAddress.toString() to get the hostname
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski resolved HTTPCLIENT-1138.
-------------------------------------------
Resolution: Won't Fix
This problem has been fixed in SVN trunk (4.2). As far as stable 4.1.x releases are concerned just do not use deprecated methods / classes. The bug affects deprecated code only.
Oleg
> SSLSocketFactory incorrectly uses InetSocketAddress.toString() to get the hostname
> ----------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1138
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1138
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.2
> Environment: Java 6u27
> Reporter: Marshall Pierce
>
> I'm getting issues with SSL hostname verification:
> javax.net.ssl.SSLException: hostname in certificate didn't match: <localhost/127.0.0.1> != <localhost>
> at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:228)
> at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
> at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:149)
> at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:130)
> at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
> at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:495)
> at org.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
> I think the issue is on SSLSocketFactory:381.
> It gets the hostname that will then be passed to the hostname verifier:
> // HttpInetSocketAddress#toString() returns original hostname value of the remote address
> String hostname = remoteAddress.toString();
> This seems wrong because remoteAddress.toString() (of type InetSocketAddress) calls toString on the InetAddress inside the InetSocketAddress, and InetAddress#toString() has this in its documentation:
> The string returned is of the form: hostname / literal IP address. Note that the comment seems to indicate the code was originally written against HttpInetSocketAddress, which DOES have the desired behavior on toString(). The runtime type of remoteAddress is java.net.InetSocketAddress, not HttpInetSocketAddress.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org