Re: [PR] Decode Subject Alternative Names (SAN) for X.509 Certificates [httpcomponents-client]

via GitHub Fri, 28 Mar 2025 06:55:54 -0700


leonardehrenfried commented on PR #610:
URL: 
https://github.com/apache/httpcomponents-client/pull/610#issuecomment-2761435839


   Has this change made into 5.4.3?
   
   I upgrade to that version yesterday and I'm seeing the following exception 
which seems related:
   
   ```
   Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for 
<s3.amazonaws.com> doesn't match any of the subject alternative names: 
[s3.amazonaws.com, *.s3.amazonaws.com, *.s3.dualstack.us-east-1.amazonaws.com, 
s3.dualstack.us-east-1.amazonaws.com, *.s3.us-east-1.amazonaws.com, 
s3.us-east-1.amazonaws.com, *.s3-control.us-east-1.amazonaws.com, 
s3-control.us-east-1.amazonaws.com, 
*.s3-control.dualstack.us-east-1.amazonaws.com, 
s3-control.dualstack.us-east-1.amazonaws.com, 
*.s3-accesspoint.us-east-1.amazonaws.com, 
*.s3-accesspoint.dualstack.us-east-1.amazonaws.com, 
*.s3-deprecated.us-east-1.amazonaws.com, s3-deprecated.us-east-1.amazonaws.com, 
s3-external-1.amazonaws.com, *.s3-external-1.amazonaws.com, 
s3-external-2.amazonaws.com, *.s3-external-2.amazonaws.com]
        at 
org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:172)
        at 
org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:130)
        at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:316)
        at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:194)
        at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.executeHandshake(AbstractClientTlsStrategy.java:253)
        at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.upgrade(AbstractClientTlsStrategy.java:210)
        at 
org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy.upgrade(DefaultClientTlsStrategy.java:48)
        at 
org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:231)
        at 
org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:490)
        at 
org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:164)
        at 
org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:174)
        at 
org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:144)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:192)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:150)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:113)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.RedirectExec.execute(RedirectExec.java:110)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:183)
        at 
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245)
        at 
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)
        at 
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:162)
        at 
org.opentripplanner.framework.io.OtpHttpClient.executeAndMapWithResponseHandler(OtpHttpClient.java:302)
        ... 14 common frames omitted
   ```
   
   When I downgrade to 5.4.2 the request succeeds.
   
   The URL that fails is the following: 
https://s3.amazonaws.com/kcm-alerts-realtime-prod/vehiclepositions.pb


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [PR] Decode Subject Alternative Names (SAN) for X.509 Certificates [httpcomponents-client]

Reply via email to