[jira] [Commented] (HTTPCLIENT-2111) DefaultHostnameVerifier fails with "doesn't match any of the subject alternative names"

Wed, 26 Aug 2020 07:37:26 -0700 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17185229#comment-17185229
 ] 

Oleg Kalnichevski commented on HTTPCLIENT-2111:
-----------------------------------------------

{code:java}
Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("abc.xyz.mno.pqr.dev.local",
 "*.dev.local"));
Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("abc.xyz.mno.pqr.dev.local",
 "*.dev.local"));
{code}
The both assets pass for me, which is expected. DefaultHostnameVerifier uses 
strict matching internally and its actual behavior is correct.

Oleg

> DefaultHostnameVerifier fails with "doesn't match any of the subject 
> alternative names"
> ---------------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-2111
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2111
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>    Affects Versions: 4.5.12
>            Reporter: Nikhil Gahlot
>            Priority: Major
>
> In httpclient 4.5.6, DefaultHostnameVerifier explicitly checks for dots(.) in 
> the hostname (excluding domain/sub-domain). This causes hostnames like 
> abc.xyz.mno.pqr.dev.local to fail on certificate with SAN wild card 
> *.dev.local. I am using certificate with CN = *.dev.local and SAN = 
> *.dev.local. Below is error I am getting.
> {code:java}
> javax.net.ssl.SSLPeerUnverifiedException: Certificate for 
> <abc.xyz.mno.pqr.dev.local> doesn't match any of the subject alternative 
> names: [*.dev.local]{code}
> I tested with 4.5.12 as well as 5.0.1 but getting the same error. Can someone 
> recommend a good way to resolve this?
>  
> DefaultHostnameVerifier.matchIdentity()
>  
> {code:java}
> // Additional sanity checks on content selected by wildcard can be done here
>             if (strict) {
>                 final String remainder = host.substring(
>                         prefix.length(), host.length() - suffix.length());
>                 if (remainder.contains(".")) {
>                     return false;
>                 }
>             }
> {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to