Re: [PR] Decode Subject Alternative Names (SAN) for X.509 Certificates [httpcomponents-client]

Fri, 28 Mar 2025 06:55:54 -0700 


leonardehrenfried commented on PR #610:
URL: 
https://github.com/apache/httpcomponents-client/pull/610#issuecomment-2761435839

   Has this change made into 5.4.3?
   
   I upgrade to that version yesterday and I'm seeing the following exception 
which seems related:
   
   ```
   Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for 
<s3.amazonaws.com> doesn't match any of the subject alternative names: 
[s3.amazonaws.com, *.s3.amazonaws.com, *.s3.dualstack.us-east-1.amazonaws.com, 
s3.dualstack.us-east-1.amazonaws.com, *.s3.us-east-1.amazonaws.com, 
s3.us-east-1.amazonaws.com, *.s3-control.us-east-1.amazonaws.com, 
s3-control.us-east-1.amazonaws.com, 
*.s3-control.dualstack.us-east-1.amazonaws.com, 
s3-control.dualstack.us-east-1.amazonaws.com, 
*.s3-accesspoint.us-east-1.amazonaws.com, 
*.s3-accesspoint.dualstack.us-east-1.amazonaws.com, 
*.s3-deprecated.us-east-1.amazonaws.com, s3-deprecated.us-east-1.amazonaws.com, 
s3-external-1.amazonaws.com, *.s3-external-1.amazonaws.com, 
s3-external-2.amazonaws.com, *.s3-external-2.amazonaws.com]
        at 
org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:172)
        at 
org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:130)
        at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:316)
        at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:194)
        at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.executeHandshake(AbstractClientTlsStrategy.java:253)
        at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.upgrade(AbstractClientTlsStrategy.java:210)
        at 
org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy.upgrade(DefaultClientTlsStrategy.java:48)
        at 
org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:231)
        at 
org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:490)
        at 
org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:164)
        at 
org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:174)
        at 
org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:144)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:192)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:150)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:113)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.RedirectExec.execute(RedirectExec.java:110)
        at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
        at 
org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:183)
        at 
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245)
        at 
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)
        at 
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:162)
        at 
org.opentripplanner.framework.io.OtpHttpClient.executeAndMapWithResponseHandler(OtpHttpClient.java:302)
        ... 14 common frames omitted
   ```
   
   When I downgrade to 5.4.2 the request succeeds.
   
   The URL that fails is the following: 
https://s3.amazonaws.com/kcm-alerts-realtime-prod/vehiclepositions.pb


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to