You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "Richard Comblen (JIRA)" <ji...@apache.org> on 2014/11/11 13:45:33 UTC

[jira] [Created] (HTTPCLIENT-1578) Regression between v4.1 and v4.1.1 regarding validation of SSL certificates for servers with multiple VirtualHost serving HTTPS

Richard Comblen created HTTPCLIENT-1578:
-------------------------------------------

             Summary: Regression between v4.1 and v4.1.1 regarding validation of SSL certificates for servers with multiple VirtualHost serving HTTPS
                 Key: HTTPCLIENT-1578
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1578
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient
            Reporter: Richard Comblen


We have a service provider hosting a web application (Atlassian Stash) behind https proxy. The server hosting this proxy hosts other VirtualHosts using https.

We have a client application (Jenkins) submitting POST requests to that application using the httpclient library.

We realized that starting with version 4.1.1 of the library, we get an SSL exception related to hostname verification.

I've created a minimal example hosted on GitHub: https://github.com/rcomblen/HttpClientRegressionTest

Debugging, you will see that the only certificate retrieved by the SSLSocket object corresponds to atlashost.eu (the hosting provider) and not *.kreios.lu (our own certificate).

It seems the library behaves like the openssl command line if you miss the -servername argument:
{code}
$ openssl s_client -connect stash.kreios.lu:443 2>/dev/null | grep subject
subject=/description=p7VPQDLL2DWTo7A5/C=PL/ST=Gdansk/L=Gniew/O=Damian Nowak/CN=*.atlashost.eu/emailAddress=hostmaster@atlashost.eu
$ openssl s_client -connect stash.kreios.lu:443 -servername stash.kreios.lu 2>/dev/null | grep subject
subject=/serialNumber=LwCTQJjJj94odszLnywxXW0AJcv0vdlc/OU=GT98629041/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.kreios.lu
{code}






--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org