Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1997

SSLPeerUnverifiedException on matching wildcard certificate

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 4.5.9
    • 4.5.10, 5.0 Beta5
    • None
    • None
    • Oracle Java 11 on Mac OS 10.14.5
      as well as Open JDK 11 on Pivotal Cloud Foundry/Linux 4.15.0-50-generic x86_64

      Spring Boot 2.1.6 wich uses httpclient 4.5.9

    Description

      The step from httpclient 4.5.8 to 4.5.9 seems to have changed the behaviour of the DefaultHostNameVerifier. I now receive an SSLPeerUnverifiedException when trying to connect to a server that uses a wildcard server certificate. This used to work in 4.5.8.

      javax.net.ssl.SSLPeerUnverifiedException: Certificate for <service.apps.dev.b.cloud.a> doesn't match any of the subject alternative names: [dev.b.cloud.a, *.system.dev.b.cloud.a, *.int.dev.b.cloud.a, *.login.system.dev.b.cloud.a, *.uaa.system.dev.b.cloud.a, *.apps.dev.b.cloud.a, *.ext.dev.b.cloud.a, CertreqId-12345]
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
    at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:87)
    ...

      Expected: The host name verifier should accept the subject alternative name *.apps.dev.b.cloud.a for the server service.apps.dev.b.cloud.a.

      I suspect the issue to be related to HTTPCLIENT-1991. It changed PublicSuffixMatcher which is used by DefaultHostNameVerifier. In the debugger I found that DefaultHostNameVerifier.verify(String, SSLSession) fails to verify the host/x509 certificate combination in line 99.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. HTTPCLIENT-2000 PublicSuffixMatcher.getDomainRoot returns only normalized domain

          • Major - Major loss of function.
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. HTTPCLIENT-2003 DefaultHostnameVerifier.verify failled for host not ending with public suffix

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              marclayer Marc Layer
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: