Affects Version/s: 4.5.9, 4.5.11
Fix Version/s: None
This case is very similar to
Using a certificate containing wildcard domain names as subject alternative name (SAN) for non-public domains (i.e. something like a .mycorp TLD) fails in some versions of HttpClient:
The following (JUnit 4) test case demonstrates the issue:
Here is the result for various HttpClient versions:
With the 4.5.11 code base I'm wondering why DefaultHostnameVerifier.matchDNSName() would assume that this is a ICANN (i.e. public) domain.
Passing DomainType.UNKNOWN instead of DomainType.ICANN to matchIdentityStrict() solves this issue (but I'm not sure if that has other issue elsewhere in the code).
A workaround is to add the private domain name mycorp to resource /mozilla/public-suffix-list.txt on the classpath (the default version of which is provided by HttpClient). This is tricky to solve, though, as one has to make sure to have the modified version in the classpath before httpclient-<version>.jar.
Note also that this workaround only works when adding the domain name in the public ICANN section which stresses the point above: why would we assume that the provided domain name is a public DNS name?