You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Marc Layer (JIRA)" <ji...@apache.org> on 2019/06/26 06:53:00 UTC
[jira] [Commented] (HTTPCLIENT-1997) SSLPeerUnverifiedException on
matching wildcard certificate
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16873000#comment-16873000 ]
Marc Layer commented on HTTPCLIENT-1997:
----------------------------------------
When using the deprecated {{StrictHostnameVerifier}}, the server certificate described above is accepted.
{code:java}
HttpClient client = HttpClientBuilder.create()
.setHostNameVerifier(StrictHostNameVerifier.INSTANCE)
.build();
{code}
> SSLPeerUnverifiedException on matching wildcard certificate
> -----------------------------------------------------------
>
> Key: HTTPCLIENT-1997
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1997
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Affects Versions: 4.5.9
> Environment: Java 11
> Mac OS 10.14.5 as well as Pivotal Cloud Foundry
> Spring Boot 2.1.6 wich uses httpclient 4.5.9
> Reporter: Marc Layer
> Priority: Major
>
> The step from httpclient 4.5.8 to 4.5.9 seems to have changed the behaviour of the {{DefaultHostNameVerifier}}. I now receive an {{SSLPeerUnverifiedException}} when trying to connect to a server that uses a wildcard server certificate. This used to work in 4.5.8.
> {code:java}
> javax.net.ssl.SSLPeerUnverifiedException: Certificate for <service.apps.dev.b.cloud.a> doesn't match any of the subject alternative names: [dev.b.cloud.a, *.system.dev.b.cloud.a, *.int.dev.b.cloud.a, *.login.system.dev.b.cloud.a, *.uaa.system.dev.b.cloud.a, *.apps.dev.b.cloud.a, *.ext.dev.b.cloud.a, CertreqId-12345]
> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
> at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
> at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
> at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
> at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
> at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
> at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
> at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:87)
> ...
> {code}
> *Expected:* The host name verifier should accept the subject alternative name {{*.apps.dev.b.cloud.a}} for the server {{service.apps.dev.b.cloud.a}}.
> I suspect the issue to be related to HTTPCLIENT-1991. It changed {{PublicSuffixMatcher}} which is used by {{DefaultHostNameVerifier}}. In the debugger I found that {{DefaultHostNameVerifier}}.{{verify(String, SSLSession)}} fails to verify the host/x509 certificate combination in line 99.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org