You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Oleg Kalnichevski (JIRA)" <ji...@apache.org> on 2015/05/30 11:22:17 UTC
[jira] [Updated] (HTTPCLIENT-1653) HttpClient does not validate
maps.googleapis.com SSL certificate
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1653?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski updated HTTPCLIENT-1653:
------------------------------------------
Priority: Major (was: Critical)
> HttpClient does not validate maps.googleapis.com SSL certificate
> ----------------------------------------------------------------
>
> Key: HTTPCLIENT-1653
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1653
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.4.1
> Reporter: Steven Schlansker
>
> The "maps.googleapis.com" server currently presents the following certificate:
> {code:java}
> chain [0] = [
> [
> Version: V3
> Subject: CN=*.storage.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US
> Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
> Key: Sun RSA public key, 2048 bits
> modulus: 24603438786799829993648986678019724241291765107767178256438229769255639603630079287976600644587296195855281469059079095367693219326954103920400266180383714041264052001835821459859979062309981001645460419612216568125600250057216485831813121470478703938651527074889693548670323978511118184793624149312062021697081807052679954878936237623840471166038329237994080148923456402909798064024275285184248122957449662230743505636400659699969523942248493865256228640211859299202173559659130845208610068933123027284385426267851138391278103759929777510485659786801300351957512079336462523079107001753896874655730331898039986696973
> public exponent: 65537
> Validity: [From: Wed May 06 02:59:24 PDT 2015,
> To: Mon Aug 03 17:00:00 PDT 2015]
> Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
> SerialNumber: [ 61dbc852 b477cf78]
> Certificate Extensions: 8
> ...
> [7]: ObjectId: 2.5.29.17 Criticality=false
> SubjectAlternativeName [
> DNSName: *.storage.googleapis.com
> DNSName: *.commondatastorage.googleapis.com
> DNSName: *.googleapis.com
> ]
> {code}
> The "googleapis.com" name is in the "mozilla/public-suffix-list.txt" file which is used by the PublicSuffixMatcher class to help parse DNS names.
> As the following test case demonstrates, this causes validation of the Google certificate to fail:
> {code:java}
> @Test
> public void testGoogleSubjectAlternativeNames() throws Exception {
> DefaultHostnameVerifier.matchDNSName("maps.googleapis.com", Arrays.asList(
> "*.storage.googleapis.com",
> "*.commondatastorage.googleapis.com",
> "*.googleapis.com"), new PublicSuffixMatcher(Collections.singleton("googleapis.com"), Collections.<String>emptySet()));
> }
> {code}
> This is a serious regression as it prevents secure connections to Google APIs.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org