You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Oleg Kalnichevski (JIRA)" <ji...@apache.org> on 2015/05/30 11:22:17 UTC

[jira] [Updated] (HTTPCLIENT-1653) HttpClient does not validate maps.googleapis.com SSL certificate

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1653?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Oleg Kalnichevski updated HTTPCLIENT-1653:
------------------------------------------
    Priority: Major  (was: Critical)

> HttpClient does not validate maps.googleapis.com SSL certificate
> ----------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1653
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1653
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.4.1
>            Reporter: Steven Schlansker
>
> The "maps.googleapis.com" server currently presents the following certificate:
> {code:java}
> chain [0] = [
> [
>   Version: V3
>   Subject: CN=*.storage.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US
>   Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
>   Key:  Sun RSA public key, 2048 bits
>   modulus: 24603438786799829993648986678019724241291765107767178256438229769255639603630079287976600644587296195855281469059079095367693219326954103920400266180383714041264052001835821459859979062309981001645460419612216568125600250057216485831813121470478703938651527074889693548670323978511118184793624149312062021697081807052679954878936237623840471166038329237994080148923456402909798064024275285184248122957449662230743505636400659699969523942248493865256228640211859299202173559659130845208610068933123027284385426267851138391278103759929777510485659786801300351957512079336462523079107001753896874655730331898039986696973
>   public exponent: 65537
>   Validity: [From: Wed May 06 02:59:24 PDT 2015,
>               To: Mon Aug 03 17:00:00 PDT 2015]
>   Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
>   SerialNumber: [    61dbc852 b477cf78]
> Certificate Extensions: 8
> ...
> [7]: ObjectId: 2.5.29.17 Criticality=false
> SubjectAlternativeName [
>   DNSName: *.storage.googleapis.com
>   DNSName: *.commondatastorage.googleapis.com
>   DNSName: *.googleapis.com
> ]
> {code}
> The "googleapis.com" name is in the "mozilla/public-suffix-list.txt" file which is used by the PublicSuffixMatcher class to help parse DNS names.
> As the following test case demonstrates, this causes validation of the Google certificate to fail:
> {code:java}
> @Test
> public void testGoogleSubjectAlternativeNames() throws Exception {
>     DefaultHostnameVerifier.matchDNSName("maps.googleapis.com", Arrays.asList(
>             "*.storage.googleapis.com",
>             "*.commondatastorage.googleapis.com",
>             "*.googleapis.com"), new PublicSuffixMatcher(Collections.singleton("googleapis.com"), Collections.<String>emptySet()));
> }
> {code}
> This is a serious regression as it prevents secure connections to Google APIs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org