Re: [PR] Decode Subject Alternative Names (SAN) for X.509 Certificates [httpcomponents-client]

Fri, 28 Mar 2025 09:18:54 -0700 


arturobernalg commented on PR #610:
URL: 
https://github.com/apache/httpcomponents-client/pull/610#issuecomment-2761827914

   > Has this change made into 5.4.3?
   > 
   > I upgrade to that version yesterday and I'm seeing the following exception 
which seems related:
   > 
   > ```
   > Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for 
<s3.amazonaws.com> doesn't match any of the subject alternative names: 
[s3.amazonaws.com, *.s3.amazonaws.com, *.s3.dualstack.us-east-1.amazonaws.com, 
s3.dualstack.us-east-1.amazonaws.com, *.s3.us-east-1.amazonaws.com, 
s3.us-east-1.amazonaws.com, *.s3-control.us-east-1.amazonaws.com, 
s3-control.us-east-1.amazonaws.com, 
*.s3-control.dualstack.us-east-1.amazonaws.com, 
s3-control.dualstack.us-east-1.amazonaws.com, 
*.s3-accesspoint.us-east-1.amazonaws.com, 
*.s3-accesspoint.dualstack.us-east-1.amazonaws.com, 
*.s3-deprecated.us-east-1.amazonaws.com, s3-deprecated.us-east-1.amazonaws.com, 
s3-external-1.amazonaws.com, *.s3-external-1.amazonaws.com, 
s3-external-2.amazonaws.com, *.s3-external-2.amazonaws.com]
   >    at 
org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:172)
   >    at 
org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:130)
   >    at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:316)
   >    at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:194)
   >    at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.executeHandshake(AbstractClientTlsStrategy.java:253)
   >    at 
org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.upgrade(AbstractClientTlsStrategy.java:210)
   >    at 
org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy.upgrade(DefaultClientTlsStrategy.java:48)
   >    at 
org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:231)
   >    at 
org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:490)
   >    at 
org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:164)
   >    at 
org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:174)
   >    at 
org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:144)
   >    at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
   >    at 
org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:192)
   >    at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
   >    at 
org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:150)
   >    at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
   >    at 
org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:113)
   >    at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
   >    at 
org.apache.hc.client5.http.impl.classic.RedirectExec.execute(RedirectExec.java:110)
   >    at 
org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
   >    at 
org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:183)
   >    at 
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245)
   >    at 
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)
   >    at 
org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:162)
   >    at 
org.opentripplanner.framework.io.OtpHttpClient.executeAndMapWithResponseHandler(OtpHttpClient.java:302)
   >    ... 14 common frames omitted
   > ```
   > 
   > When I downgrade to 5.4.2 the request succeeds.
   > 
   > The URL that fails is the following: 
https://s3.amazonaws.com/kcm-alerts-realtime-prod/vehiclepositions.pb
   
   This failure isn't caused by SAN parsing. The old code ignored byte[] SANs 
entirely, including iPAddress (type 7), which per RFC 5280 must be stored as an 
OCTET STRING in network byte order. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to