Marc Layer created HTTPCLIENT-1997:
--------------------------------------
Summary: SSLPeerUnverifiedException on matching wildcard
certificate
Key: HTTPCLIENT-1997
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1997
Project: HttpComponents HttpClient
Issue Type: Bug
Affects Versions: 4.5.9
Environment: Java 11
Mac OS 10.14.5 as well as Pivotal Cloud Foundry
Spring Boot 2.1.6 wich uses httpclient 4.5.9
Reporter: Marc Layer
The step from httpclient 4.5.8 to 4.5.9 seems to have changed the behaviour of
the {{DefaultHostNameVerifier}}. I now receive an
{{SSLPeerUnverifiedException}} when trying to connect to a server that uses a
wildcard server certificate. This used to work in 4.5.8.
{code:java}
javax.net.ssl.SSLPeerUnverifiedException: Certificate for
<service.apps.dev.b.cloud.a> doesn't match any of the subject alternative
names: [dev.b.cloud.a, *.system.dev.b.cloud.a, *.int.dev.b.cloud.a,
*.login.system.dev.b.cloud.a, *.uaa.system.dev.b.cloud.a, *.apps.dev.b.cloud.a,
*.ext.dev.b.cloud.a, CertreqId-12345]
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at
org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:87)
{code}
*Expected:* The host name verifier should accept the subject alternative name
{{*.apps.dev.b.cloud.a}} for the server {{service.apps.dev.b.cloud.a}}.
I suspect the issue to be related to HTTPCLIENT-1991. It changed
{{PublicSuffixMatcher}} which is used by {{DefaultHostNameVerifier}}.
{{DefaultHostNameVerifier}}.{{verify(String, SSLSession)}} fails to verify the
host/x509 certificate combination in line 99.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
