-
Bug
-
Resolution: Duplicate
-
P4
-
None
-
17
-
generic
-
generic
A DESCRIPTION OF THE PROBLEM :
Using an intermediate CA certificate with:
Permitted
[1]Subtrees (0..Max):
DNS Name=.paeuw1.mydomain.com
And a certificate with:
CN = myapp.prd-0000043.paeuw1.mydomain.com
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("myapp.prd-0000043.paeuw1.mydomain.com", 443);
InputStream in = sslsocket.getInputStream();
OutputStream out = sslsocket.getOutputStream();
// Write a test byte to get a reaction :)
out.write(1);
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Successful connection
ACTUAL -
sun.security.x509.NameConstraintsExtension.constrains returns "NAME_SAME_TYPE" as per code:
} else if (inName.endsWith(thisName)) {
int ndx = inName.lastIndexOf(thisName);
if (inName.charAt(ndx-1) == '.' )
constraintType = NAME_NARROWS;
and the caller, sun.security.x509.NameConstraintsExtension.verify, returns false:
case GeneralNameInterface.NAME_SAME_TYPE:
sameType = true;
continue; // continue to look for a match or narrow
case GeneralNameInterface.NAME_MATCH:
case GeneralNameInterface.NAME_NARROWS:
// name narrows permitted
return true; // name is definitely OK, so break out of loop
}
}
if (sameType) {
return false;
}
which results in a
javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: name constraints check failed
A check with openssl validates the certificate with no problem:
openssl s_client -CAfile intermediate.pem -verify_hostname=myapp.prd-0000043.paeuw1.mydomain.com -connect myapp.prd-0000043.paeuw1.mydomain.com:443
FREQUENCY : always
Using an intermediate CA certificate with:
Permitted
[1]Subtrees (0..Max):
DNS Name=.paeuw1.mydomain.com
And a certificate with:
CN = myapp.prd-0000043.paeuw1.mydomain.com
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("myapp.prd-0000043.paeuw1.mydomain.com", 443);
InputStream in = sslsocket.getInputStream();
OutputStream out = sslsocket.getOutputStream();
// Write a test byte to get a reaction :)
out.write(1);
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Successful connection
ACTUAL -
sun.security.x509.NameConstraintsExtension.constrains returns "NAME_SAME_TYPE" as per code:
} else if (inName.endsWith(thisName)) {
int ndx = inName.lastIndexOf(thisName);
if (inName.charAt(ndx-1) == '.' )
constraintType = NAME_NARROWS;
and the caller, sun.security.x509.NameConstraintsExtension.verify, returns false:
case GeneralNameInterface.NAME_SAME_TYPE:
sameType = true;
continue; // continue to look for a match or narrow
case GeneralNameInterface.NAME_MATCH:
case GeneralNameInterface.NAME_NARROWS:
// name narrows permitted
return true; // name is definitely OK, so break out of loop
}
}
if (sameType) {
return false;
}
which results in a
javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: name constraints check failed
A check with openssl validates the certificate with no problem:
openssl s_client -CAfile intermediate.pem -verify_hostname=myapp.prd-0000043.paeuw1.mydomain.com -connect myapp.prd-0000043.paeuw1.mydomain.com:443
FREQUENCY : always
- duplicates
-
-
- Closed
-