[ https://issues.apache.org/jira/browse/HTTPCLIENT-2111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17185229#comment-17185229 ]
Oleg Kalnichevski commented on HTTPCLIENT-2111: ----------------------------------------------- {code:java} Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("abc.xyz.mno.pqr.dev.local", "*.dev.local")); Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("abc.xyz.mno.pqr.dev.local", "*.dev.local")); {code} The both assets pass for me, which is expected. DefaultHostnameVerifier uses strict matching internally and its actual behavior is correct. Oleg > DefaultHostnameVerifier fails with "doesn't match any of the subject > alternative names" > --------------------------------------------------------------------------------------- > > Key: HTTPCLIENT-2111 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2111 > Project: HttpComponents HttpClient > Issue Type: Bug > Affects Versions: 4.5.12 > Reporter: Nikhil Gahlot > Priority: Major > > In httpclient 4.5.6, DefaultHostnameVerifier explicitly checks for dots(.) in > the hostname (excluding domain/sub-domain). This causes hostnames like > abc.xyz.mno.pqr.dev.local to fail on certificate with SAN wild card > *.dev.local. I am using certificate with CN = *.dev.local and SAN = > *.dev.local. Below is error I am getting. > {code:java} > javax.net.ssl.SSLPeerUnverifiedException: Certificate for > <abc.xyz.mno.pqr.dev.local> doesn't match any of the subject alternative > names: [*.dev.local]{code} > I tested with 4.5.12 as well as 5.0.1 but getting the same error. Can someone > recommend a good way to resolve this? > > DefaultHostnameVerifier.matchIdentity() > > {code:java} > // Additional sanity checks on content selected by wildcard can be done here > if (strict) { > final String remainder = host.substring( > prefix.length(), host.length() - suffix.length()); > if (remainder.contains(".")) { > return false; > } > } > {code} > > -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org