-
Bug
-
Resolution: Done
-
Major
-
2.0.21.Final
-
None
When creating a client SSL Connection via a HTTP proxy, the destination address indicated in the SSL connection is the address of the proxy. This is wrong and leads to a CertificateException:
java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:160) at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:96) at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459) at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:434) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:291) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:620) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:461) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:361) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:448) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999) at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1111) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834)}
(in this case the proxy was running on 127.0.0.1).
- is incorporated by
-
WFCORE-4552 Upgrade Undertow to 2.0.24.Final
- Closed
- is related to
-
UNDERTOW-1539 Add option to enable certificate host name matching
- Resolved