You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hc.apache.org by ol...@apache.org on 2020/01/29 08:36:30 UTC
[httpcomponents-client] 02/02: HTTPCLIENT-2047: fixed regression in
DefaultHostnameVerifier causing rejection of certs with non-standard
domains.
This is an automated email from the ASF dual-hosted git repository.
olegk pushed a commit to branch 4.5.x
in repository https://gitbox.apache.org/repos/asf/httpcomponents-client.git
commit 736c00da6dfe4c91210d80d06cf7b28f857c035b
Author: Oleg Kalnichevski <ol...@apache.org>
AuthorDate: Sat Jan 25 15:49:44 2020 +0100
HTTPCLIENT-2047: fixed regression in DefaultHostnameVerifier causing rejection of certs with non-standard domains.
This reverts commit e0416f07
---
.../http/conn/ssl/DefaultHostnameVerifier.java | 4 ++--
.../http/conn/ssl/TestDefaultHostnameVerifier.java | 26 ++++++++++++++++++++++
.../src/test/resources/suffixlistmatcher.txt | 1 +
3 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java b/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java
index 4a0ae1f..18dd5dc 100644
--- a/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java
+++ b/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java
@@ -169,7 +169,7 @@ public final class DefaultHostnameVerifier implements HostnameVerifier {
final SubjectName subjectAlt = subjectAlts.get(i);
if (subjectAlt.getType() == SubjectName.DNS) {
final String normalizedSubjectAlt = DnsUtils.normalize(subjectAlt.getValue());
- if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher, DomainType.ICANN)) {
+ if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher)) {
return;
}
}
@@ -182,7 +182,7 @@ public final class DefaultHostnameVerifier implements HostnameVerifier {
final PublicSuffixMatcher publicSuffixMatcher) throws SSLException {
final String normalizedHost = DnsUtils.normalize(host);
final String normalizedCn = DnsUtils.normalize(cn);
- if (!matchIdentityStrict(normalizedHost, normalizedCn, publicSuffixMatcher, DomainType.ICANN)) {
+ if (!matchIdentityStrict(normalizedHost, normalizedCn, publicSuffixMatcher)) {
throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match " +
"common name of the certificate subject: " + cn);
}
diff --git a/httpclient/src/test/java/org/apache/http/conn/ssl/TestDefaultHostnameVerifier.java b/httpclient/src/test/java/org/apache/http/conn/ssl/TestDefaultHostnameVerifier.java
index ec6f2a9..71bf7e0 100644
--- a/httpclient/src/test/java/org/apache/http/conn/ssl/TestDefaultHostnameVerifier.java
+++ b/httpclient/src/test/java/org/apache/http/conn/ssl/TestDefaultHostnameVerifier.java
@@ -35,6 +35,7 @@ import java.nio.charset.Charset;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
+import java.util.Collections;
import java.util.List;
import javax.net.ssl.SSLException;
@@ -375,6 +376,7 @@ public class TestDefaultHostnameVerifier {
Assert.assertTrue(DefaultHostnameVerifier.matchIdentity( "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.UNKNOWN));
Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict( "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.UNKNOWN));
}
+
@Test // Check compressed IPv6 hostname matching
public void testHTTPCLIENT_1316() throws Exception{
final String host1 = "2001:0db8:aaaa:bbbb:cccc:0:0:0001";
@@ -417,4 +419,28 @@ public class TestDefaultHostnameVerifier {
}
}
+ @Test
+ public void testMatchDNSName() throws Exception {
+ DefaultHostnameVerifier.matchDNSName(
+ "host.domain.com",
+ Collections.singletonList(SubjectName.DNS("*.domain.com")),
+ publicSuffixMatcher);
+ DefaultHostnameVerifier.matchDNSName(
+ "host.xx",
+ Collections.singletonList(SubjectName.DNS("*.xx")),
+ publicSuffixMatcher);
+ DefaultHostnameVerifier.matchDNSName(
+ "host.appspot.com",
+ Collections.singletonList(SubjectName.DNS("*.appspot.com")),
+ publicSuffixMatcher);
+ DefaultHostnameVerifier.matchDNSName(
+ "demo-s3-bucket.s3.eu-central-1.amazonaws.com",
+ Collections.singletonList(SubjectName.DNS("*.s3.eu-central-1.amazonaws.com")),
+ publicSuffixMatcher);
+ DefaultHostnameVerifier.matchDNSName(
+ "hostname-workspace-1.local",
+ Collections.singletonList(SubjectName.DNS("hostname-workspace-1.local")),
+ publicSuffixMatcher);
+ }
+
}
diff --git a/httpclient/src/test/resources/suffixlistmatcher.txt b/httpclient/src/test/resources/suffixlistmatcher.txt
index b027fe4..e9377cb 100644
--- a/httpclient/src/test/resources/suffixlistmatcher.txt
+++ b/httpclient/src/test/resources/suffixlistmatcher.txt
@@ -27,6 +27,7 @@
xx
lan
appspot.com
+s3.eu-central-1.amazonaws.com
// ===END PRIVATE DOMAINS===
// ===BEGIN ICANN DOMAINS===