Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1653

HttpClient does not validate maps.googleapis.com SSL certificate

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 4.4.1
    • 4.5
    • HttpClient (classic)
    • None

    Description

      The "maps.googleapis.com" server currently presents the following certificate:

      chain [0] = [
[
  Version: V3
  Subject: CN=*.storage.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 24603438786799829993648986678019724241291765107767178256438229769255639603630079287976600644587296195855281469059079095367693219326954103920400266180383714041264052001835821459859979062309981001645460419612216568125600250057216485831813121470478703938651527074889693548670323978511118184793624149312062021697081807052679954878936237623840471166038329237994080148923456402909798064024275285184248122957449662230743505636400659699969523942248493865256228640211859299202173559659130845208610068933123027284385426267851138391278103759929777510485659786801300351957512079336462523079107001753896874655730331898039986696973
  public exponent: 65537
  Validity: [From: Wed May 06 02:59:24 PDT 2015,
              To: Mon Aug 03 17:00:00 PDT 2015]
  Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
  SerialNumber: [    61dbc852 b477cf78]

Certificate Extensions: 8
...
[7]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.storage.googleapis.com
  DNSName: *.commondatastorage.googleapis.com
  DNSName: *.googleapis.com
]

      The "googleapis.com" name is in the "mozilla/public-suffix-list.txt" file which is used by the PublicSuffixMatcher class to help parse DNS names.

      As the following test case demonstrates, this causes validation of the Google certificate to fail:

      @Test
public void testGoogleSubjectAlternativeNames() throws Exception {
    DefaultHostnameVerifier.matchDNSName("maps.googleapis.com", Arrays.asList(
            "*.storage.googleapis.com",
            "*.commondatastorage.googleapis.com",
            "*.googleapis.com"), new PublicSuffixMatcher(Collections.singleton("googleapis.com"), Collections.<String>emptySet()));
}

      This is a serious regression as it prevents secure connections to Google APIs.

      Attachments

        Issue Links

          duplicates

          Improvement - An improvement or enhancement to an existing feature or task. HTTPCLIENT-1613 Support for so called 'private' domains in Mozilla Public Suffix List

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              stevenschlansker Steven Schlansker
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: