Hi everyone, Last week I ran into certificate verification error with httpcomponents-client 4.5.3. A certificate was rejected with the following message:
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <www.company.com> doesn't match any of the subject alternative names: [[email protected]] After some investigation I found that the certificate was rejected because the commonName is ignored when there is a subjectAltName entry present (see [HTTPCLIENT-1802]). The certificate is a bit special because there is just one email address in the subjectAltName, nothing else. I read parts of [rfc5280] and [rfc6125] and tried to figure out (I failed) if the presented certificate is invalid and should be rejected (as happens) or if the email address in the subjectAltName is just additional information which can be ignored by the DefaultHostnameVerifier and the verification should fallback to the commonName. What do you think? Should I just ask the owner of the certificate to change it or is there something which could be improved in the default hostname verification? Best regards Andy Signer PS: A unit test to demonstrate the rejected certificate https://github.com/asigner/httpcomponents-client/pull/1 References [rfc5280] https://tools.ietf.org/html/rfc5280#section-4.2.1.6 [rfc6125] https://tools.ietf.org/html/rfc6125#section-6.4.4 [HTTPCLIENT-1802] https://issues.apache.org/jira/browse/HTTPCLIENT-1802 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
