HTTPCLIENT-2047: fixed regression in DefaultHostnameVerifier causing rejection of certs with non-standard domains.
This reverts commit e0416f07
This commit is contained in:
parent
dbc3342781
commit
736c00da6d
|
@ -169,7 +169,7 @@ public final class DefaultHostnameVerifier implements HostnameVerifier {
|
|||
final SubjectName subjectAlt = subjectAlts.get(i);
|
||||
if (subjectAlt.getType() == SubjectName.DNS) {
|
||||
final String normalizedSubjectAlt = DnsUtils.normalize(subjectAlt.getValue());
|
||||
if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher, DomainType.ICANN)) {
|
||||
if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher)) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
@ -182,7 +182,7 @@ public final class DefaultHostnameVerifier implements HostnameVerifier {
|
|||
final PublicSuffixMatcher publicSuffixMatcher) throws SSLException {
|
||||
final String normalizedHost = DnsUtils.normalize(host);
|
||||
final String normalizedCn = DnsUtils.normalize(cn);
|
||||
if (!matchIdentityStrict(normalizedHost, normalizedCn, publicSuffixMatcher, DomainType.ICANN)) {
|
||||
if (!matchIdentityStrict(normalizedHost, normalizedCn, publicSuffixMatcher)) {
|
||||
throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match " +
|
||||
"common name of the certificate subject: " + cn);
|
||||
}
|
||||
|
|
|
@ -35,6 +35,7 @@ import java.nio.charset.Charset;
|
|||
import java.security.cert.CertificateFactory;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
|
||||
import javax.net.ssl.SSLException;
|
||||
|
@ -375,6 +376,7 @@ public class TestDefaultHostnameVerifier {
|
|||
Assert.assertTrue(DefaultHostnameVerifier.matchIdentity( "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.UNKNOWN));
|
||||
Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict( "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.UNKNOWN));
|
||||
}
|
||||
|
||||
@Test // Check compressed IPv6 hostname matching
|
||||
public void testHTTPCLIENT_1316() throws Exception{
|
||||
final String host1 = "2001:0db8:aaaa:bbbb:cccc:0:0:0001";
|
||||
|
@ -417,4 +419,28 @@ public class TestDefaultHostnameVerifier {
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testMatchDNSName() throws Exception {
|
||||
DefaultHostnameVerifier.matchDNSName(
|
||||
"host.domain.com",
|
||||
Collections.singletonList(SubjectName.DNS("*.domain.com")),
|
||||
publicSuffixMatcher);
|
||||
DefaultHostnameVerifier.matchDNSName(
|
||||
"host.xx",
|
||||
Collections.singletonList(SubjectName.DNS("*.xx")),
|
||||
publicSuffixMatcher);
|
||||
DefaultHostnameVerifier.matchDNSName(
|
||||
"host.appspot.com",
|
||||
Collections.singletonList(SubjectName.DNS("*.appspot.com")),
|
||||
publicSuffixMatcher);
|
||||
DefaultHostnameVerifier.matchDNSName(
|
||||
"demo-s3-bucket.s3.eu-central-1.amazonaws.com",
|
||||
Collections.singletonList(SubjectName.DNS("*.s3.eu-central-1.amazonaws.com")),
|
||||
publicSuffixMatcher);
|
||||
DefaultHostnameVerifier.matchDNSName(
|
||||
"hostname-workspace-1.local",
|
||||
Collections.singletonList(SubjectName.DNS("hostname-workspace-1.local")),
|
||||
publicSuffixMatcher);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -27,6 +27,7 @@
|
|||
xx
|
||||
lan
|
||||
appspot.com
|
||||
s3.eu-central-1.amazonaws.com
|
||||
// ===END PRIVATE DOMAINS===
|
||||
|
||||
// ===BEGIN ICANN DOMAINS===
|
||||
|
|
Loading…
Reference in New Issue