[jira] [Commented] (HTTPCLIENT-2353) Incorrect IDN-hostname validation from TLS-certificates

Wed, 05 Feb 2025 02:25:04 -0800 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17924001#comment-17924001
 ] 

ASF subversion and git services commented on HTTPCLIENT-2353:
-------------------------------------------------------------

Commit 9e3559ef931576256f73d8f36ee8cf9a8dd71ca3 in httpcomponents-client's 
branch refs/heads/dependabot/maven/testcontainers.version-1.20.4 from Arturo 
Bernal
[ https://gitbox.apache.org/repos/asf?p=httpcomponents-client.git;h=9e3559ef9 ]

HTTPCLIENT-2353: Fix IDN hostname mismatch by normalizing identity  with 
IDN.toUnicode before comparison so that Unicode and punycode forms match 
correctly. (#607)



> Incorrect IDN-hostname validation from TLS-certificates
> -------------------------------------------------------
>
>                 Key: HTTPCLIENT-2353
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2353
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 5.4.1
>            Reporter: Kaduk Mikhail
>            Priority: Major
>             Fix For: 5.4.2, 5.5-alpha1
>
>          Time Spent: 2.5h
>  Remaining Estimate: 0h
>
> Default HttpClient created by {{HttpClientBuilder.create().build()}} cannot 
> validate some IDN-hostname from TLS-certificates and throws exception:
> {code:java}
> Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: 
> Certificate for <поиск-слов.рф> doesn't match any of the subject alternative 
> names: [www.xn----dtbqigoecuc.xn--p1ai, xn----dtbqigoecuc.xn--p1ai]
>       at 
> org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:171)
>       at 
> org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:129)
>       at 
> org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:316)
>       at 
> org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:194)
>       at 
> org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.executeHandshake(AbstractClientTlsStrategy.java:253)
>       at 
> org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.upgrade(AbstractClientTlsStrategy.java:210)
>       at 
> org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy.upgrade(DefaultClientTlsStrategy.java:48)
>       at 
> org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:231)
>       at 
> org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:490)
>       at 
> org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:164)
>       at 
> org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:174)
>       at 
> org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:144)
>       at 
> org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
>       at 
> org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:192)
>       at 
> org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
>       at 
> org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:150)
>       at 
> org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
>       at 
> org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:113)
>       at 
> org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
>       at 
> org.apache.hc.client5.http.impl.classic.RedirectExec.execute(RedirectExec.java:110)
>       at 
> org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
>       at 
> org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:174)
>       at 
> org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245)
>       at 
> org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)
>       at 
> org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:162)
> {code}
> I didn't test behaviour on other IDN-hostnames but this error occurs on 
> hostname {{поиск-слов.рф}}
> Cetrificate of this websize contains two alternative subject names:
>  * {{www.xn\-\-\-\-dtbqigoecuc.xn-p1ai}}
>  * {{xn\-\-\-\-dtbqigoecuc.xn--p1ai}}
> {{xn\-\-\-\-dtbqigoecuc.xn--p1ai}} equals to encoded {{{}поиск-слов.рф{}}}, 
> but {{org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.matchIdentity}} 
> compares host and identity via {{equalsIgnoreCase}} and returns false
> Link to code in github: 
> https://github.com/apache/httpcomponents-client/blob/rel/v5.4.1/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java#L260



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to