From 4401991d93e1c4979cf8931e343323f97c335608 Mon Sep 17 00:00:00 2001 From: Oleg Kalnichevski Date: Sat, 25 Jan 2020 15:49:44 +0100 Subject: [PATCH] HTTPCLIENT-2047: fixed regression in DefaultHostnameVerifier causing rejection of certs with non-standard domains. This reverts commit 87cc64fc --- .../http/ssl/DefaultHostnameVerifier.java | 4 +-- .../http/ssl/TestDefaultHostnameVerifier.java | 25 +++++++++++++++++++ .../src/test/resources/suffixlistmatcher.txt | 1 + 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java index 5ed5ed49e..19e27a40f 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java @@ -164,7 +164,7 @@ public final class DefaultHostnameVerifier implements HttpClientHostnameVerifier final SubjectName subjectAlt = subjectAlts.get(i); if (subjectAlt.getType() == SubjectName.DNS) { final String normalizedSubjectAlt = DnsUtils.normalize(subjectAlt.getValue()); - if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher, DomainType.ICANN)) { + if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher)) { return; } } @@ -177,7 +177,7 @@ public final class DefaultHostnameVerifier implements HttpClientHostnameVerifier final PublicSuffixMatcher publicSuffixMatcher) throws SSLException { final String normalizedHost = DnsUtils.normalize(host); final String normalizedCn = DnsUtils.normalize(cn); - if (!matchIdentityStrict(normalizedHost, normalizedCn, publicSuffixMatcher, DomainType.ICANN)) { + if (!matchIdentityStrict(normalizedHost, normalizedCn, publicSuffixMatcher)) { throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match " + "common name of the certificate subject: " + cn); } diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/TestDefaultHostnameVerifier.java b/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/TestDefaultHostnameVerifier.java index db84c86bf..b4bdee4e3 100644 --- a/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/TestDefaultHostnameVerifier.java +++ b/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/TestDefaultHostnameVerifier.java @@ -44,6 +44,7 @@ import java.nio.charset.StandardCharsets; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.Arrays; +import java.util.Collections; import java.util.List; /** @@ -414,4 +415,28 @@ public class TestDefaultHostnameVerifier { } } + @Test + public void testMatchDNSName() throws Exception { + DefaultHostnameVerifier.matchDNSName( + "host.domain.com", + Collections.singletonList(SubjectName.DNS("*.domain.com")), + publicSuffixMatcher); + DefaultHostnameVerifier.matchDNSName( + "host.xx", + Collections.singletonList(SubjectName.DNS("*.xx")), + publicSuffixMatcher); + DefaultHostnameVerifier.matchDNSName( + "host.appspot.com", + Collections.singletonList(SubjectName.DNS("*.appspot.com")), + publicSuffixMatcher); + DefaultHostnameVerifier.matchDNSName( + "demo-s3-bucket.s3.eu-central-1.amazonaws.com", + Collections.singletonList(SubjectName.DNS("*.s3.eu-central-1.amazonaws.com")), + publicSuffixMatcher); + DefaultHostnameVerifier.matchDNSName( + "hostname-workspace-1.local", + Collections.singletonList(SubjectName.DNS("hostname-workspace-1.local")), + publicSuffixMatcher); + } + } diff --git a/httpclient5/src/test/resources/suffixlistmatcher.txt b/httpclient5/src/test/resources/suffixlistmatcher.txt index b027fe445..e9377cb5f 100644 --- a/httpclient5/src/test/resources/suffixlistmatcher.txt +++ b/httpclient5/src/test/resources/suffixlistmatcher.txt @@ -27,6 +27,7 @@ xx lan appspot.com +s3.eu-central-1.amazonaws.com // ===END PRIVATE DOMAINS=== // ===BEGIN ICANN DOMAINS===