You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Andy Signer (JIRA)" <ji...@apache.org> on 2018/02/22 21:35:00 UTC
[jira] [Updated] (HTTPCLIENT-1906) HttpClient rejects valid
certificates with subjectAltNames
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andy Signer updated HTTPCLIENT-1906:
------------------------------------
Description:
A certificate containing only an email address (declared as rfc822Name) in subjectAltName gets rejected. This change was introduced with HTTPCLIENT-1802.
HttpClient should fall back onto CN for hostname verification instead of rejecting the certificate as invalid.
Example certificate which gets rejected:
{noformat}
-----BEGIN CERTIFICATE-----
MIIDpTCCAo2gAwIBAgIJANqkMEtlkelbMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJWQTERMA8GA1UEBwwIU29tZUNpdHkxEjAQBgNVBAoM
CU15Q29tcGFueTETMBEGA1UECwwKTXlEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmNv
bXBhbnkuY29tMB4XDTE4MDIxNTA3MjkzMFoXDTIwMDIxNTA3MjkzMFowcDELMAkG
A1UEBhMCVVMxCzAJBgNVBAgMAlZBMREwDwYDVQQHDAhTb21lQ2l0eTESMBAGA1UE
CgwJTXlDb21wYW55MRMwEQYDVQQLDApNeURpdmlzaW9uMRgwFgYDVQQDDA93d3cu
Y29tcGFueS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4v6Oq
Ua0goRVn1cmT7MOpJhXFm3A70bTpvJIRpEjtGIz99hb34/9r5AYyf1VhKyWmBq24
XNcOJ59XOlyjjbm2Tl811ufTOdcNbPadoVBmMt4039OSUFpVb4wAw2XPWLTCG2h1
HNj9GuFHmwcDsg5EiIRrhDGQm2LLLAGoe5PdReoMZCeeWzNWvKTCV14pyRzwQhJL
F1OmzLYzovbPfB8LZVhQgDbLsh034FScivf2oKDB+NEzAEagNpnrFR0MFLWGYsu1
nWD5RiZi78HFGiibmhH7QrEPfGlo2eofuUga6naoBUROqkmMCIL8n1HZ/Ur0oGny
vQCj1AyrfOhuVC53AgMBAAGjQjBAMAsGA1UdDwQEAwIEMDATBgNVHSUEDDAKBggr
BgEFBQcDATAcBgNVHREEFTATgRFlbWFpbEBleGFtcGxlLmNvbTANBgkqhkiG9w0B
AQsFAAOCAQEAZ0IsqRrsEmJ6Fa9Yo6PQtrKJrejN2TTDddVgyLQdokzWh/25JFad
NCMYPH5KjTUyKf96hJDlDayjbKk1PMMhSZMU5OG9NOuGMH/dQttruG1ojse7KIKg
yHDQrfq5Exxgfa7CMHRKAoTCY7JZhSLyVbTMVhmGfuUDad/RA86ZisXycp0ZmS97
qDkAmzFL0sL0ZUWNNUh4ZUWvCUZwiuN08z70NjGqXMTDCf68p3SYxbII0xTfScgf
aQ/A/hD7IbGGTexeoTwpEj01DNvefbQV6//neo32/R5XD0D5jn3TCgZcMThA6H3a
VkEghVg+s7uMfL/UEebOBQWXQJ/uVoknMA==
-----END CERTIFICATE-----{noformat}
A unit test demonstrating the issue: [https://github.com/asigner/httpcomponents-client/commit/e2e5c422ad201fc4a4df07e05ffda522ed626008]
See [http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/201802.mbox/%3cCAG5G_q+fh1p54gOO=_kLN09+9RizCfXGpmfEvUE3iQ3rp8ifxg@mail.gmail.com%3e]
was:
A certificate containing only an email address (declared as rfc822Name) in subjectAltName gets rejected. This change was introduced with HTTPCLIENT-1802.
HttpClient should fall back onto CN for hostname verification instead of rejecting the certificate as invalid.
A unit test demonstrating the issue: https://github.com/asigner/httpcomponents-client/commit/e2e5c422ad201fc4a4df07e05ffda522ed626008
See http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/201802.mbox/%3cCAG5G_q+fh1p54gOO=_kLN09+9RizCfXGpmfEvUE3iQ3rp8ifxg@mail.gmail.com%3e
> HttpClient rejects valid certificates with subjectAltNames
> ----------------------------------------------------------
>
> Key: HTTPCLIENT-1906
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1906
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 4.5.3, 5.0 Alpha2
> Reporter: Andy Signer
> Priority: Minor
>
> A certificate containing only an email address (declared as rfc822Name) in subjectAltName gets rejected. This change was introduced with HTTPCLIENT-1802.
> HttpClient should fall back onto CN for hostname verification instead of rejecting the certificate as invalid.
> Example certificate which gets rejected:
> {noformat}
> -----BEGIN CERTIFICATE-----
> MIIDpTCCAo2gAwIBAgIJANqkMEtlkelbMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNV
> BAYTAlVTMQswCQYDVQQIDAJWQTERMA8GA1UEBwwIU29tZUNpdHkxEjAQBgNVBAoM
> CU15Q29tcGFueTETMBEGA1UECwwKTXlEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmNv
> bXBhbnkuY29tMB4XDTE4MDIxNTA3MjkzMFoXDTIwMDIxNTA3MjkzMFowcDELMAkG
> A1UEBhMCVVMxCzAJBgNVBAgMAlZBMREwDwYDVQQHDAhTb21lQ2l0eTESMBAGA1UE
> CgwJTXlDb21wYW55MRMwEQYDVQQLDApNeURpdmlzaW9uMRgwFgYDVQQDDA93d3cu
> Y29tcGFueS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4v6Oq
> Ua0goRVn1cmT7MOpJhXFm3A70bTpvJIRpEjtGIz99hb34/9r5AYyf1VhKyWmBq24
> XNcOJ59XOlyjjbm2Tl811ufTOdcNbPadoVBmMt4039OSUFpVb4wAw2XPWLTCG2h1
> HNj9GuFHmwcDsg5EiIRrhDGQm2LLLAGoe5PdReoMZCeeWzNWvKTCV14pyRzwQhJL
> F1OmzLYzovbPfB8LZVhQgDbLsh034FScivf2oKDB+NEzAEagNpnrFR0MFLWGYsu1
> nWD5RiZi78HFGiibmhH7QrEPfGlo2eofuUga6naoBUROqkmMCIL8n1HZ/Ur0oGny
> vQCj1AyrfOhuVC53AgMBAAGjQjBAMAsGA1UdDwQEAwIEMDATBgNVHSUEDDAKBggr
> BgEFBQcDATAcBgNVHREEFTATgRFlbWFpbEBleGFtcGxlLmNvbTANBgkqhkiG9w0B
> AQsFAAOCAQEAZ0IsqRrsEmJ6Fa9Yo6PQtrKJrejN2TTDddVgyLQdokzWh/25JFad
> NCMYPH5KjTUyKf96hJDlDayjbKk1PMMhSZMU5OG9NOuGMH/dQttruG1ojse7KIKg
> yHDQrfq5Exxgfa7CMHRKAoTCY7JZhSLyVbTMVhmGfuUDad/RA86ZisXycp0ZmS97
> qDkAmzFL0sL0ZUWNNUh4ZUWvCUZwiuN08z70NjGqXMTDCf68p3SYxbII0xTfScgf
> aQ/A/hD7IbGGTexeoTwpEj01DNvefbQV6//neo32/R5XD0D5jn3TCgZcMThA6H3a
> VkEghVg+s7uMfL/UEebOBQWXQJ/uVoknMA==
> -----END CERTIFICATE-----{noformat}
> A unit test demonstrating the issue: [https://github.com/asigner/httpcomponents-client/commit/e2e5c422ad201fc4a4df07e05ffda522ed626008]
> See [http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/201802.mbox/%3cCAG5G_q+fh1p54gOO=_kLN09+9RizCfXGpmfEvUE3iQ3rp8ifxg@mail.gmail.com%3e]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org