Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-1412

SSLException hostname in certificate didn't match for CNAME

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • None
    • 3.0.17.Final
    • None
    • None
    • Hide

      See attached test case: mvn clean test

      Show
      See attached test case: mvn clean test
    • Workaround Exists
    • Hide

      See workaround in RESTEASY-1089

      Show
      See workaround in RESTEASY-1089

      We are calling a REST api via HTTPS (api.smallinvoice.com).
      The Server does present a valid SSL wildcard certificate for *.smallinvoice.com.

      Seems like RestEasy does certificate validation by doing a DNS lookup an taking the hostname from the DNS response.
      Problem is: api.smallinvoice.com is a CNAME for some other server (app1.lourenssystems.ch). That other domain does itself present a certificate that is for a third host (www.pingen.com).

      IMHO, RestEasy should take the hostname or CNAME from the DNS response that matches the request url (api.smallinvoice.com in this case) and not the first name presented by the DNS server.

      Problem seems not seem to be in the underlying Apache httpclient as using httpclient directly does not produce any errors, see attached test case.
      (but maybe I'm using that httpclient wrong).

        1. testcase.tgz
          2 kB
        2. testcase.tgz
          2 kB

              Unassigned Unassigned
              christophlinder Christoph Linder (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: