Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
4.4 Final
Description
Host: www.googleapis.com
Certificate subject alt name: *.googleapis.com
DefaultHostnameVerifier.matchDNSName throws an SSLException with message
DefaultHostnameVerifier - Certificate for <www.googleapis.com> doesn't match any of the subject alternative names: [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, googleapis.com]
The default PublicSuffixMatcher is in use.
Possible cause:
DefaultHostnameVerifier's matchDNSName > matchIdentityStrict > matchIdentity:
private static boolean matchIdentity(final String host, final String identity, final PublicSuffixMatcher publicSuffixMatcher, final boolean strict) { if (publicSuffixMatcher != null && host.contains(".")) { if (!matchDomainRoot(host, publicSuffixMatcher.getDomainRoot(identity))) { return false; // WILL EXIT THE WILDCARD CHECK HERE } } // RFC 2818, 3.1. Server Identity // "...Names may contain the wildcard // character * which is considered to match any single domain name // component or component fragment..." // Based on this statement presuming only singular wildcard is legal final int asteriskIdx = identity.indexOf('*');
The call to publicSuffixMatcher.getDomainRoot(identity) returns *.googleapis.com, but this should probably return googleapis.com (without the wildcard)? If the code reaches the "RFC 2818" logic, then it validates just fine.
Note: A default PublicSuffixMatcher is in use.
Stacktrace:
10:37:35,319 DEBUG 27 4 DefaultHostnameVerifier - Certificate for <www.googleapis.com> doesn't match any of the subject alternative names: [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, googleapis.com] javax.net.ssl.SSLException: Certificate for <www.googleapis.com> doesn't match any of the subject alternative names: [*.googleapis.com, *.clients6.google.com, *.cloudendpointsapis.com, cloudendpointsapis.com, googleapis.com] at org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:157) at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:108) at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:86) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:462) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:354) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
Attachments
Issue Links
- is duplicated by
-
HTTPCLIENT-1636 Regression: hostname verification fails when it shouldn't
- Closed
-
HTTPCLIENT-1642 Issue with github SSL certificate
- Closed
-
HTTPCLIENT-1653 HttpClient does not validate maps.googleapis.com SSL certificate
- Closed