[jira] [Created] (HTTPCLIENT-2370) Wrong SSLPeerUnverifiedException with httpclient5

Fri, 16 May 2025 05:09:51 -0700 

Christian Habermehl created HTTPCLIENT-2370:
-----------------------------------------------

             Summary: Wrong SSLPeerUnverifiedException with httpclient5 
                 Key: HTTPCLIENT-2370
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2370
             Project: HttpComponents HttpClient
          Issue Type: Bug
    Affects Versions: 5.4.3
         Environment: Linux / MacOS / Java 21
            Reporter: Christian Habermehl


When I try to download a file from s3.eu-west-1.amazonaws.com I get this 
exception:
{code}
javax.net.ssl.SSLPeerUnverifiedException: Certificate for 
<s3.eu-west-1.amazonaws.com> doesn't match any of the subject alternative 
names: [s3-eu-west-1.amazonaws.com, *.s3-eu-west-1.amazonaws.com, 
s3.eu-west-1.amazonaws.com, *.s3.eu-west-1.amazonaws.com, 
s3.dualstack.eu-west-1.amazonaws.com, *.s3.dualstack.eu-west-1.amazonaws.com, 
*.s3.amazonaws.com, *.s3-control.eu-west-1.amazonaws.com, 
s3-control.eu-west-1.amazonaws.com, 
*.s3-control.dualstack.eu-west-1.amazonaws.com, 
s3-control.dualstack.eu-west-1.amazonaws.com, 
*.s3-accesspoint.eu-west-1.amazonaws.com, 
*.s3-accesspoint.dualstack.eu-west-1.amazonaws.com, 
*.s3-deprecated.eu-west-1.amazonaws.com, s3-deprecated.eu-west-1.amazonaws.com, 
s3-external-3.amazonaws.com, *.s3-external-3.amazonaws.com]
        at 
org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:172)
        at 
org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:130)
        at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:316)
        at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:194)
        at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.executeHandshake(AbstractClientTlsStrategy.java:253)
        at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.upgrade(AbstractClientTlsStrategy.java:210)
        at 
org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy.upgrade(DefaultClientTlsStrategy.java:48)
        at 
org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:231)
        at 
org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:490)
        at 
org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:164)
        at 
org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:174)
        at 
org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:144)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:192)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:150)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:113)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.RedirectExec.execute(RedirectExec.java:110)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:183)
        at 
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245)
        at 
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)
        at 
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:162)
{code}
even though the DomainName is part of the alternative Names.

It seems that when comparing the DomainNames the Host 
"s3.eu-west-1.amazonaws.com" is compared to ".s3.eu-west-1.amazonaws.com" and 
this fails.

with version 5.4.2 the download works without problems.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to