Kaduk Mikhail created HTTPCLIENT-2353:
-----------------------------------------
Summary: Incorrect IDN-hostname validation from TLS-certificates
Key: HTTPCLIENT-2353
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2353
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient (classic)
Affects Versions: 5.4.1
Reporter: Kaduk Mikhail
Default HttpClient created by {{HttpClientBuilder.create().build()}} cannot
validate some IDN-hostname from TLS-certificates and throws exception:
{code:java}
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException:
Certificate for <поиск-слов.рф> doesn't match any of the subject alternative
names: [www.xn----dtbqigoecuc.xn--p1ai, xn----dtbqigoecuc.xn--p1ai]
at
org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:171)
at
org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:129)
at
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:316)
at
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:194)
at
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.executeHandshake(AbstractClientTlsStrategy.java:253)
at
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.upgrade(AbstractClientTlsStrategy.java:210)
at
org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy.upgrade(DefaultClientTlsStrategy.java:48)
at
org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:231)
at
org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:490)
at
org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:164)
at
org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:174)
at
org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:144)
at
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
at
org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:192)
at
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
at
org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:150)
at
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
at
org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:113)
at
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
at
org.apache.hc.client5.http.impl.classic.RedirectExec.execute(RedirectExec.java:110)
at
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
at
org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:174)
at
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245)
at
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)
at
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:162)
{code}
I didn't test behaviour on other IDN-hostnames but this error occurs on
hostname {{поиск-слов.рф}}
Cetrificate of this websize contains two alternative subject names:
* {{www.xn\-\-\-\-dtbqigoecuc.xn-p1ai}}
* {{xn\-\-\-\-dtbqigoecuc.xn--p1ai}}
{{xn\-\-\-\-dtbqigoecuc.xn--p1ai}} equals to encoded {{{}поиск-слов.рф{}}}, but
{{org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.matchIdentity}}
compares host and identity via {{equalsIgnoreCase}} and returns false
Link to code in github:
https://github.com/apache/httpcomponents-client/blob/rel/v5.4.1/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java#L260
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
