LLG20111699 / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

openid4java fails SSL host-name verification with apache httpclient 4.1.2 #162

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Build a test with apache httpcomponents-httpclient 4.1.2
2. Attempt to authenticate with Yahoo (https://me.yahoo.com) or Google 
(https://www.google.com/accounts/o8/id) 
3.

What is the expected output? What do you see instead?

javax.net.ssl.SSLException: hostname in certificate didn't match: 
<me.yahoo.com/68.142.242.195> != <me.yahoo.com>

There's a bug in your HttpClientFactory - using deprected httpclient api calls:
  http://code.google.com/p/openid4java/source/browse/trunk/src/org/openid4java/util/HttpClientFactory.java

This e-mail describes the problem:

http://old.nabble.com/HttpClient-4.1.2-hostname-in-certificate-didn%27t-match-td
32222087.html#a32227960

What version of the product are you using? On what operating system?

0.9.6 from repo1.maven.org

Please provide any additional information below.

It would be great if you would refactor HttpCache to accept an apache 
HttpClient in a constructor - or at least make _client "protected", so an 
HttpCache subtype can manage that property.  
  http://code.google.com/p/openid4java/source/browse/trunk/src/org/openid4java/util/HttpCache.java   

I have an app that manages HttpClient itself, so I could just inject the apps 
HttpClient into openid4java.  As it is - I guess I'll just copy HttpCache to my 
own class, and patch my own HttpFetcherFactory to the ConsumerManager.

If I can find some time, then I could try to put a patch together.  Let me know 
if you would accept an external patch.

Original issue reported on code.google.com by reuben.p...@gmail.com on 19 Aug 2011 at 6:42

GoogleCodeExporter commented 9 years ago
Got the same problem, it does compare domain/ip string against domain !

Original comment by pether.s...@gmail.com on 21 Aug 2011 at 12:30

GoogleCodeExporter commented 9 years ago
I have generated a small patch (attached) which fixes the problem (and removes 
some duplicated calls in HttpClientFactroy).

Original comment by ofr...@gmail.com on 20 Dec 2011 at 8:40

Attachments:

GoogleCodeExporter commented 9 years ago
Please accept this patch. The incompatibility with HttpClient 4.1.2 is a major 
annoyance.

Original comment by dkocher@sudo.ch on 28 Dec 2011 at 10:39

GoogleCodeExporter commented 9 years ago
Got the same problem. Downgrade HttpClient to 4.1.1 and wait changes in major 
annoyance

Original comment by pushis...@gmail.com on 20 Apr 2012 at 12:37

GoogleCodeExporter commented 9 years ago
Patch works for us, thank you. +1 for fix

Original comment by ku...@re-media.eu on 21 Sep 2012 at 12:35

GoogleCodeExporter commented 9 years ago
Issue 166 has been merged into this issue.

Original comment by Johnny.B...@gmail.com on 30 Oct 2012 at 10:17

GoogleCodeExporter commented 9 years ago
Thank you for the patch, it is checked in as r680 and dependency upgraded to 
latest httpclient - 4.2.2.

Original comment by Johnny.B...@gmail.com on 31 Oct 2012 at 7:01