[HTTPCLIENT-2047] Regression in default HTTP Client construction for non-public hostnames - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 4.5.11
Fix Version/s: 4.5.12, 5.0
Component/s: HttpClient (classic)
Labels:
- regression

Description

I believe that the result of:

https://github.com/apache/httpcomponents-client/commit/b184b244ad9342a384ba87f48c6b48805a3b0f1f

and:

https://github.com/apache/httpcomponents-client/commit/e0416f07c344929699a2bc303eb3a049c62bd979

Caused a regression which prevents non-public hostnames from validating, resulting in errors like (I have redacted hostnames as possible):


Certificate for <hostname-workspace-1.ops.domain.local> doesn't match any of the subject alternative names: [user-id-60662, hostname-workspace-1.ops.domain.local, 127.0.0.1, 10.2.243.75]

This is because the default value of ICANN is now supplied to the PublicSuffixMatcher, which causes it to only accept publicly accessible hostnames now (or so it seems).

Attachments

Issue Links

is duplicated by

HTTPCLIENT-2055 Verification of certificates containing wildcard SANs fails for non-public domains

Resolved

HTTPCLIENT-2058 DefaultHostnameVerifier does not verify local DNS names

Resolved

HTTPCLIENT-2054 SSLPeerUnverifiedException with wildcard

Resolved

HTTPCLIENT-2060 SSLPeerUnverifiedException: Certificate for <X> doesn't match any of the subject alternative names: [X, Y, Z]

Closed

links to

GitHub Pull Request #203

Activity

People

Assignee:: Unassigned

Reporter:: Mike

Votes:: 1 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 22/Jan/20 01:23

Updated:: 11/Mar/20 09:13

Resolved:: 29/Jan/20 08:48

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1.5h