HTTPCLIENT-2047: fixed regression in DefaultHostnameVerifier causing …

…rejection of certs with non-standard domains.

This reverts commit e0416f0

httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java

@@ -169,7 +169,7 @@ static void matchDNSName(final String host, final List<SubjectName> subjectAlts,
             final SubjectName subjectAlt = subjectAlts.get(i);
             if (subjectAlt.getType() == SubjectName.DNS) {
                 final String normalizedSubjectAlt = DnsUtils.normalize(subjectAlt.getValue());
-                if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher, DomainType.ICANN)) {
+                if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher)) {
                     return;
                 }
             }
@@ -182,7 +182,7 @@ static void matchCN(final String host, final String cn,
                  final PublicSuffixMatcher publicSuffixMatcher) throws SSLException {
         final String normalizedHost = DnsUtils.normalize(host);
         final String normalizedCn = DnsUtils.normalize(cn);
-        if (!matchIdentityStrict(normalizedHost, normalizedCn, publicSuffixMatcher, DomainType.ICANN)) {
+        if (!matchIdentityStrict(normalizedHost, normalizedCn, publicSuffixMatcher)) {
             throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match " +
                     "common name of the certificate subject: " + cn);
         }

httpclient/src/test/java/org/apache/http/conn/ssl/TestDefaultHostnameVerifier.java

@@ -35,6 +35,7 @@
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
 
 import javax.net.ssl.SSLException;
@@ -375,6 +376,7 @@ public void testHTTPCLIENT_1997_UNKNOWN() { // Only True on all domains (same as
         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.UNKNOWN));
         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.UNKNOWN));
     }
+
     @Test // Check compressed IPv6 hostname matching
     public void testHTTPCLIENT_1316() throws Exception{
         final String host1 = "2001:0db8:aaaa:bbbb:cccc:0:0:0001";
@@ -417,4 +419,28 @@ public void testExtractCN() throws Exception {
         }
     }
 
+    @Test
+    public void testMatchDNSName() throws Exception {
+        DefaultHostnameVerifier.matchDNSName(
+                "host.domain.com",
+                Collections.singletonList(SubjectName.DNS("*.domain.com")),
+                publicSuffixMatcher);
+        DefaultHostnameVerifier.matchDNSName(
+                "host.xx",
+                Collections.singletonList(SubjectName.DNS("*.xx")),
+                publicSuffixMatcher);
+        DefaultHostnameVerifier.matchDNSName(
+                "host.appspot.com",
+                Collections.singletonList(SubjectName.DNS("*.appspot.com")),
+                publicSuffixMatcher);
+        DefaultHostnameVerifier.matchDNSName(
+                "demo-s3-bucket.s3.eu-central-1.amazonaws.com",
+                Collections.singletonList(SubjectName.DNS("*.s3.eu-central-1.amazonaws.com")),
+                publicSuffixMatcher);
+        DefaultHostnameVerifier.matchDNSName(
+                "hostname-workspace-1.local",
+                Collections.singletonList(SubjectName.DNS("hostname-workspace-1.local")),
+                publicSuffixMatcher);
+    }
+
 }

httpclient/src/test/resources/suffixlistmatcher.txt

@@ -27,6 +27,7 @@
 xx
 lan
 appspot.com
+s3.eu-central-1.amazonaws.com
 // ===END PRIVATE DOMAINS===
 
 // ===BEGIN ICANN DOMAINS===