You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Serge Sozonoff (JIRA)" <ji...@apache.org> on 2016/10/13 11:30:21 UTC
[jira] [Commented] (HTTPCLIENT-1613) Support for so called
'private' domains in Mozilla Public Suffix List
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15571652#comment-15571652 ]
Serge Sozonoff commented on HTTPCLIENT-1613:
--------------------------------------------
Does not work for us with 4.5.2 and Amazon S3....
Further more this workaround
{code:java}
CloseableHttpClient client = HttpClients.custom()
.setSSLHostnameVerifier(new DefaultHostnameVerifier(null))
.build();
{code}
Does not work either for the simple reason
{code:java}
public CloseableHttpClient build() {
// Create main request executor
// We copy the instance fields to avoid changing them, and rename to avoid accidental use of the wrong version
PublicSuffixMatcher publicSuffixMatcherCopy = this.publicSuffixMatcher;
if (publicSuffixMatcherCopy == null) {
publicSuffixMatcherCopy = PublicSuffixMatcherLoader.getDefault();
}
{code}
> Support for so called 'private' domains in Mozilla Public Suffix List
> ---------------------------------------------------------------------
>
> Key: HTTPCLIENT-1613
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1613
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient (classic)
> Affects Versions: 4.4 Final
> Reporter: Øyvind Horneland
> Assignee: Oleg Kalnichevski
> Labels: ssl
> Fix For: 4.5
>
>
> Host: www.googleapis.com
> Certificate subject alt name: *.googleapis.com
> DefaultHostnameVerifier.matchDNSName throws an SSLException with message
> {quote}
> DefaultHostnameVerifier - Certificate for <www.googleapis.com> doesn't match any of the subject alternative names: [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, googleapis.com]
> {quote}
> The default PublicSuffixMatcher is in use.
> Possible cause:
> DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
> {noformat}
> private static boolean matchIdentity(final String host, final String identity,
> final PublicSuffixMatcher publicSuffixMatcher,
> final boolean strict) {
> if (publicSuffixMatcher != null && host.contains(".")) {
> if (!matchDomainRoot(host, publicSuffixMatcher.getDomainRoot(identity))) {
> return false; // WILL EXIT THE WILDCARD CHECK HERE
> }
> }
> // RFC 2818, 3.1. Server Identity
> // "...Names may contain the wildcard
> // character * which is considered to match any single domain name
> // component or component fragment..."
> // Based on this statement presuming only singular wildcard is legal
> final int asteriskIdx = identity.indexOf('*');
> {noformat}
> The call to {{publicSuffixMatcher.getDomainRoot(identity)}} returns *.googleapis.com, but this should probably return googleapis.com (without the wildcard)? If the code reaches the "RFC 2818" logic, then it validates just fine.
> Note: A default PublicSuffixMatcher is in use.
> Stacktrace:
> {noformat}
> 10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for <www.googleapis.com> doesn't match any of the subject alternative names: [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, googleapis.com]
> javax.net.ssl.SSLException: Certificate for <www.googleapis.com> doesn't match any of the subject alternative names: [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, googleapis.com]
> at org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157)
> at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108)
> at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86)
> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462)
> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354)
> at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
> at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
> at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
> at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
> at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org