From d4ae2a243ef7925447af7a1a1d3df46f2f7b34d1 Mon Sep 17 00:00:00 2001 From: rusher Date: Tue, 22 Aug 2017 15:33:34 +0200 Subject: [PATCH] [CONJ-511] Add legacy SSL certificate Hostname verification with CN even when SAN are set Improve error message --- .../mariadb/jdbc/BasePrepareStatement.java | 4 +- .../org/mariadb/jdbc/MariaDbStatement.java | 11 +- .../failover/impl/AuroraListener.java | 2 +- .../protocol/AbstractConnectProtocol.java | 2 +- .../protocol/AbstractQueryProtocol.java | 6 +- .../jdbc/internal/protocol/Protocol.java | 2 +- .../protocol/tls/HostnameVerifierImpl.java | 114 +++++++++++------- .../tls/HostnameVerifierImplTest.java | 64 +++++----- 8 files changed, 122 insertions(+), 83 deletions(-) diff --git a/src/main/java/org/mariadb/jdbc/BasePrepareStatement.java b/src/main/java/org/mariadb/jdbc/BasePrepareStatement.java index 52a95c58c..44a3f1803 100644 --- a/src/main/java/org/mariadb/jdbc/BasePrepareStatement.java +++ b/src/main/java/org/mariadb/jdbc/BasePrepareStatement.java @@ -117,8 +117,10 @@ public abstract class BasePrepareStatement extends MariaDbStatement implements P * @param autoGeneratedKeys a flag indicating whether auto-generated keys should be returned; one of * Statement.RETURN_GENERATED_KEYS * or Statement.NO_GENERATED_KEYS + * @throws SQLException if cannot retrieve auto increment value */ - public BasePrepareStatement(MariaDbConnection connection, int resultSetScrollType, int resultSetConcurrency, int autoGeneratedKeys) { + public BasePrepareStatement(MariaDbConnection connection, int resultSetScrollType, int resultSetConcurrency, int autoGeneratedKeys) + throws SQLException { super(connection, resultSetScrollType, resultSetConcurrency); this.noBackslashEscapes = protocol.noBackslashEscapes(); this.useFractionalSeconds = options.useFractionalSeconds; diff --git a/src/main/java/org/mariadb/jdbc/MariaDbStatement.java b/src/main/java/org/mariadb/jdbc/MariaDbStatement.java index fed15dcbc..a8482e708 100644 --- a/src/main/java/org/mariadb/jdbc/MariaDbStatement.java +++ b/src/main/java/org/mariadb/jdbc/MariaDbStatement.java @@ -120,8 +120,9 @@ public class MariaDbStatement implements Statement, Cloneable { * ResultSet.TYPE_SCROLL_INSENSITIVE, or ResultSet.TYPE_SCROLL_SENSITIVE * @param resultSetConcurrency a concurrency type; one of ResultSet.CONCUR_READ_ONLY or * ResultSet.CONCUR_UPDATABLE + * @throws SQLException if cannot retrieve auto increment value */ - public MariaDbStatement(MariaDbConnection connection, int resultSetScrollType, int resultSetConcurrency) { + public MariaDbStatement(MariaDbConnection connection, int resultSetScrollType, int resultSetConcurrency) throws SQLException { this.protocol = connection.getProtocol(); this.connection = connection; this.canUseServerTimeout = connection.canUseServerTimeout(); @@ -152,8 +153,12 @@ public MariaDbStatement clone(MariaDbConnection connection) throws CloneNotSuppo clone.protocol = connection.getProtocol(); clone.timerTaskFuture = null; clone.batchQueries = new ArrayList<>(); - clone.results = new Results(clone, clone.protocol.getAutoIncrementIncrement(), - clone.resultSetScrollType, clone.resultSetConcurrency); + try { + clone.results = new Results(clone, clone.protocol.getAutoIncrementIncrement(), + clone.resultSetScrollType, clone.resultSetConcurrency); + } catch (SQLException sqle) { + //eat exception + } clone.closed = false; clone.warningsCleared = true; clone.fetchSize = 0; diff --git a/src/main/java/org/mariadb/jdbc/internal/failover/impl/AuroraListener.java b/src/main/java/org/mariadb/jdbc/internal/failover/impl/AuroraListener.java index 92ec990ed..165345a10 100644 --- a/src/main/java/org/mariadb/jdbc/internal/failover/impl/AuroraListener.java +++ b/src/main/java/org/mariadb/jdbc/internal/failover/impl/AuroraListener.java @@ -269,7 +269,7 @@ private List getCurrentEndpointIdentifiers(Protocol protocol) throws SQL } catch (SQLException qe) { log.log(Level.WARNING, "SQL exception occurred: " + qe.getMessage()); if (protocol.getProxy().hasToHandleFailover(qe)) { - if (masterProtocol.equals(protocol)) { + if (masterProtocol == null || masterProtocol.equals(protocol)) { setMasterHostFail(); } else if (secondaryProtocol.equals(protocol)) { setSecondaryHostFail(); diff --git a/src/main/java/org/mariadb/jdbc/internal/protocol/AbstractConnectProtocol.java b/src/main/java/org/mariadb/jdbc/internal/protocol/AbstractConnectProtocol.java index 75cfb2608..496e769d2 100644 --- a/src/main/java/org/mariadb/jdbc/internal/protocol/AbstractConnectProtocol.java +++ b/src/main/java/org/mariadb/jdbc/internal/protocol/AbstractConnectProtocol.java @@ -704,7 +704,7 @@ private void handleConnectionPhases(String host) throws SQLException { X509Certificate cert = (X509Certificate) certs[0]; hostnameVerifier.verify(host, cert); } catch (SSLException ex) { - throw new SQLNonTransientConnectionException(ex.getMessage() + throw new SQLNonTransientConnectionException("SSL hostname verification failed : " + ex.getMessage() + "\nThis verification can be disable using the option \"disableSslHostnameVerification\" " + "but won't prevent man-in-the-middle attacks anymore", "08006"); } diff --git a/src/main/java/org/mariadb/jdbc/internal/protocol/AbstractQueryProtocol.java b/src/main/java/org/mariadb/jdbc/internal/protocol/AbstractQueryProtocol.java index 77cf709d6..34fcb2071 100644 --- a/src/main/java/org/mariadb/jdbc/internal/protocol/AbstractQueryProtocol.java +++ b/src/main/java/org/mariadb/jdbc/internal/protocol/AbstractQueryProtocol.java @@ -1395,8 +1395,9 @@ private void handleStateChange(Buffer buf, Results results) throws SQLException * Get current auto increment increment. * * @return auto increment increment. + * @throws SQLException if cannot retrieve auto increment value */ - public int getAutoIncrementIncrement() { + public int getAutoIncrementIncrement() throws SQLException { if (autoIncrementIncrement == 0) { try { Results results = new Results(); @@ -1405,7 +1406,8 @@ public int getAutoIncrementIncrement() { ResultSet rs = results.getResultSet(); rs.next(); autoIncrementIncrement = rs.getInt(1); - } catch (Exception e) { + } catch (SQLException e) { + if (e.getSQLState().startsWith("08")) throw e; autoIncrementIncrement = 1; } } diff --git a/src/main/java/org/mariadb/jdbc/internal/protocol/Protocol.java b/src/main/java/org/mariadb/jdbc/internal/protocol/Protocol.java index bafea1976..01179dbe3 100644 --- a/src/main/java/org/mariadb/jdbc/internal/protocol/Protocol.java +++ b/src/main/java/org/mariadb/jdbc/internal/protocol/Protocol.java @@ -265,7 +265,7 @@ void resetStateAfterFailover(long maxRows, int transactionIsolationLevel, String boolean isEofDeprecated(); - int getAutoIncrementIncrement(); + int getAutoIncrementIncrement() throws SQLException; boolean sessionStateAware(); diff --git a/src/main/java/org/mariadb/jdbc/internal/protocol/tls/HostnameVerifierImpl.java b/src/main/java/org/mariadb/jdbc/internal/protocol/tls/HostnameVerifierImpl.java index 265455cb8..5d46826a4 100644 --- a/src/main/java/org/mariadb/jdbc/internal/protocol/tls/HostnameVerifierImpl.java +++ b/src/main/java/org/mariadb/jdbc/internal/protocol/tls/HostnameVerifierImpl.java @@ -47,7 +47,7 @@ private static boolean matchDns(String hostname, String tlsDnsPattern) throws SS if (!matchWildCards(hostIsIp, hostnameSt.nextToken(), templateSt.nextToken())) return false; } } catch (SSLException exception) { - throw new SSLException("host \"" + hostname + "\" doesn't correspond to certificate CN \"" + tlsDnsPattern + throw new SSLException(normalizedHostMsg(hostname) + " doesn't correspond to certificate CN \"" + tlsDnsPattern + "\" : wildcards not possible for IPs"); } return true; @@ -157,12 +157,18 @@ public boolean verify(String host, SSLSession session) { * @throws SSLException exception */ public void verify(String host, X509Certificate cert) throws SSLException { + String normalizedHost = host.toLowerCase(Locale.ROOT); try { + //*********************************************************** + // RFC 6125 : check Subject Alternative Name (SAN) + //*********************************************************** + String altNameError = ""; + SubjectAltNames subjectAltNames = getSubjectAltNames(cert); if (!subjectAltNames.isEmpty()) { //*********************************************************** - // Host is IPv4 : Check corresponding entries in alternative subject names + // Host is IPv4 : Check corresponding entries in subject alternative names //*********************************************************** if (Utils.isIPv4(host)) { for (GeneralName entry : subjectAltNames.getGeneralNames()) { @@ -176,13 +182,10 @@ public void verify(String host, X509Certificate cert) throws SSLException { if (host.equals(entry.value)) return; } } - throw new SSLException("No IPv4 corresponding to host \"" + host + "\" in certificate alt-names " + subjectAltNames.toString()); - } - - //*********************************************************** - // Host is IPv6 : Check corresponding entries in alternative subject names - //*********************************************************** - if (Utils.isIPv6(host)) { + } else if (Utils.isIPv6(host)) { + //*********************************************************** + // Host is IPv6 : Check corresponding entries in subject alternative names + //*********************************************************** String normalisedHost = normaliseAddress(host); for (GeneralName entry : subjectAltNames.getGeneralNames()) { if (logger.isTraceEnabled()) { @@ -199,46 +202,69 @@ public void verify(String host, X509Certificate cert) throws SSLException { } } } - throw new SSLException("No IPv6 corresponding to host \"" + host + "\" in certificate alt-names " + subjectAltNames.toString()); - } - - //*********************************************************** - // Host is not IP = DNS : Check corresponding entries in alternative subject names - //*********************************************************** - String normalizedHost = host.toLowerCase(Locale.ROOT); - for (GeneralName entry : subjectAltNames.getGeneralNames()) { - if (logger.isTraceEnabled()) { - logger.trace("DNS verification of hostname : type=" + entry.extension - + " value=" + entry.value - + " to " + host); - } - if (entry.extension == Extension.DNS) { //IP - String normalizedSubjectAlt = entry.value.toLowerCase(Locale.ROOT); - if (matchDns(normalizedHost, normalizedSubjectAlt)) { - return; + } else { + //*********************************************************** + // Host is not IP = DNS : Check corresponding entries in alternative subject names + //*********************************************************** + for (GeneralName entry : subjectAltNames.getGeneralNames()) { + if (logger.isTraceEnabled()) { + logger.trace("DNS verification of hostname : type=" + entry.extension + + " value=" + entry.value + + " to " + host); + } + if (entry.extension == Extension.DNS) { //IP + String normalizedSubjectAlt = entry.value.toLowerCase(Locale.ROOT); + if (matchDns(normalizedHost, normalizedSubjectAlt)) { + return; + } } } } - throw new SSLException("DNS host \"" + host + "\" not found in certificate alt-names " + subjectAltNames.toString()); } + + //*********************************************************** + // RFC 2818 : legacy fallback using CN (recommendation is using alt-names) + //*********************************************************** + X500Principal subjectPrincipal = cert.getSubjectX500Principal(); + String cn = extractCommonName(subjectPrincipal.getName(X500Principal.RFC2253)); + + if (cn == null) { + if (subjectAltNames.isEmpty()) { + throw new SSLException("CN not found in certificate principal \"" + subjectPrincipal + + "\" and certificate doesn't contain SAN"); + } else { + throw new SSLException("CN not found in certificate principal \"" + subjectPrincipal + + "\" and " + normalizedHostMsg(normalizedHost) + " doesn't correspond to " + subjectAltNames.toString()); + } + } + + String normalizedCn = cn.toLowerCase(Locale.ROOT); + + if (!matchDns(normalizedHost, normalizedCn)) { + String errorMsg = normalizedHostMsg(normalizedHost) + " doesn't correspond to certificate CN \"" + normalizedCn + "\""; + if (!subjectAltNames.isEmpty()) errorMsg += " and " + subjectAltNames.toString(); + throw new SSLException(errorMsg); + } + + return; + + } catch (CertificateParsingException cpe) { - // ignore error + throw new SSLException("certificate parsing error : " + cpe.getMessage()); } + } - //*********************************************************** - // no alternative subject names, check using CN - //*********************************************************** - X500Principal subjectPrincipal = cert.getSubjectX500Principal(); - String cn = extractCommonName(subjectPrincipal.getName(X500Principal.RFC2253)); - if (cn == null) { - throw new SSLException("CN not found in certificate principal \"" + subjectPrincipal + "\""); + private static String normalizedHostMsg(String normalizedHost) { + StringBuilder msg = new StringBuilder(); + if (Utils.isIPv4(normalizedHost)) { + msg.append("IPv4 host \""); + } else if (Utils.isIPv6(normalizedHost)) { + msg.append("IPv6 host \""); + } else { + msg.append("DNS host \""); } - String normalizedHost = host.toLowerCase(Locale.ROOT); - String normalizedCn = cn.toLowerCase(Locale.ROOT); - if (!matchDns(normalizedHost, normalizedCn)) { - throw new SSLException("host \"" + normalizedHost + "\" doesn't correspond to certificate CN \"" + normalizedCn + "\""); - } - + msg.append(normalizedHost).append("\""); + return msg.toString(); } private enum Extension { @@ -256,7 +282,7 @@ public GeneralName(String value, Extension extension) { @Override public String toString() { - return "{\"" + value + "\"|" + extension + "}"; + return "{" + extension + ":\"" + value + "\"}"; } } @@ -265,7 +291,9 @@ private class SubjectAltNames { @Override public String toString() { - StringBuilder sb = new StringBuilder("certificate SubjectAltNames["); + if (isEmpty()) return "SAN[-empty-]"; + + StringBuilder sb = new StringBuilder("SAN["); boolean first = true; for (GeneralName generalName : generalNames) { diff --git a/src/test/java/org/mariadb/jdbc/internal/protocol/tls/HostnameVerifierImplTest.java b/src/test/java/org/mariadb/jdbc/internal/protocol/tls/HostnameVerifierImplTest.java index 149a4566c..27e89f5b7 100644 --- a/src/test/java/org/mariadb/jdbc/internal/protocol/tls/HostnameVerifierImplTest.java +++ b/src/test/java/org/mariadb/jdbc/internal/protocol/tls/HostnameVerifierImplTest.java @@ -63,9 +63,9 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce + "8QdWBcm2Ybo4XFjOnC98VlQl+WBu4CiToxjGphDmsMIO3Hf5PSTRwTKxtuWn45Y=\n" + "-----END CERTIFICATE-----\n"); verifier.verify("test.com", cert); - verifyExceptionEqual("a.test.com", cert, "host \"a.test.com\" doesn't correspond to " + verifyExceptionEqual("a.test.com", cert, "DNS host \"a.test.com\" doesn't correspond to " + "certificate CN \"test.com\""); - verifyExceptionEqual("other.com", cert, "host \"other.com\" doesn't correspond to " + verifyExceptionEqual("other.com", cert, "DNS host \"other.com\" doesn't correspond to " + "certificate CN \"test.com\""); } @@ -93,7 +93,7 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce + "d6DHlYvpD9JkzyEScg8Supztoc2aGbGE4SHBKB1riTLBAHWqqwas4sGSgZxu\n" + "-----END CERTIFICATE-----\n"); verifier.verify("\uD83D\uDE0E.com", cert); - verifyExceptionEqual("a.\uD83D\uDE0E.com", cert, "host \"a.\uD83D\uDE0E.com\" doesn't " + verifyExceptionEqual("a.\uD83D\uDE0E.com", cert, "DNS host \"a.\uD83D\uDE0E.com\" doesn't " + "correspond to certificate CN \"\uD83D\uDE0E.com\""); } @@ -131,13 +131,14 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce + "-----END CERTIFICATE-----\n"); - verifyExceptionEqual("mariadb.org", cert, "DNS host \"mariadb.org\" not found in " - + "certificate alt-names certificate SubjectAltNames[{\"other.org\"|DNS},{\"www.other.org\"|DNS}]"); - verifyExceptionEqual("a.mariadb.org", cert, "DNS host \"a.mariadb.org\" not found in " - + "certificate alt-names certificate SubjectAltNames[{\"other.org\"|DNS},{\"www.other.org\"|DNS}]"); + verifyExceptionEqual("mariadb.org", cert, "DNS host \"mariadb.org\" doesn't correspond to certificate " + + "CN \"*.mariadb.org\" and SAN[{DNS:\"other.org\"},{DNS:\"www.other.org\"}]"); + verifier.verify("a.mariadb.org", cert); + verifyExceptionEqual("a.other2.org", cert, "DNS host \"a.other2.org\" doesn't correspond to certificate " + + "CN \"*.mariadb.org\" and SAN[{DNS:\"other.org\"},{DNS:\"www.other.org\"}]"); verifier.verify("other.org", cert); - verifyExceptionEqual("a.other.org", cert, "DNS host \"a.other.org\" not found in " - + "certificate alt-names certificate SubjectAltNames[{\"other.org\"|DNS},{\"www.other.org\"|DNS}]"); + verifyExceptionEqual("a.other.org", cert, "DNS host \"a.other.org\" doesn't correspond to certificate " + + "CN \"*.mariadb.org\" and SAN[{DNS:\"other.org\"},{DNS:\"www.other.org\"}]"); verifier.verify("www.other.org", cert); } @@ -170,8 +171,9 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce + "n8jKTiRriEM+fMFlcgQP284EBFzYHyCXFb9O/hMjK2+6mY9euMB1U1aFFzM/Bg==\n" + "-----END CERTIFICATE-----\n"); verifier.verify("foo.com", cert); - verifyExceptionEqual("a.foo.com", cert, "DNS host \"a.foo.com\" not found in certificate " - + "alt-names certificate SubjectAltNames[{\"foo.com\"|DNS}]"); + verifyExceptionEqual("a.foo.com", cert, "CN not found in certificate principal " + + "\"EMAILADDRESS=juliusdavies@gmail.com, OU=test certificates, O=httpcomponents, L=Forest Hill, " + + "ST=Maryland, C=US\" and DNS host \"a.foo.com\" doesn't correspond to SAN[{DNS:\"foo.com\"}]"); } @Test public void verifyMultipleCn() throws Exception { @@ -199,7 +201,7 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce + "GiY3dV92GD9wZfbUWsQRzLizRzIrsvZfCn/LLeUvOQPuCCeLzIxD\n" + "-----END CERTIFICATE-----\n"); verifier.verify("test1.org", cert); - verifyExceptionEqual("test2.org", cert, "host \"test2.org\" doesn't correspond to " + verifyExceptionEqual("test2.org", cert, "DNS host \"test2.org\" doesn't correspond to " + "certificate CN \"test1.org\""); } @@ -231,11 +233,11 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce + "G9Z6tyMbmfRY+dLSh3a9JwoEcBUso6EWYBakLbq4nG/nvYdYvG9ehrnLVwZFL82e\n" + "l3Q/RK95bnA6cuRClGusLad0e6bjkBzx/VQ3VarDEpAkTLUGVAa0CLXtnyc=\n" + "-----END CERTIFICATE-----\n"); - verifyExceptionEqual("foo.com", cert, "host \"foo.com\" doesn't correspond to certificate " + verifyExceptionEqual("foo.com", cert, "DNS host \"foo.com\" doesn't correspond to certificate " + "CN \"*.foo.com\""); verifier.verify("www.foo.com", cert); verifier.verify("\u82b1\u5b50.foo.com", cert); - verifyExceptionEqual("a.b.foo.com", cert, "host \"a.b.foo.com\" doesn't correspond to " + verifyExceptionEqual("a.b.foo.com", cert, "DNS host \"a.b.foo.com\" doesn't correspond to " + "certificate CN \"*.foo.com\""); } @@ -301,12 +303,12 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce verifier.verify("localhost", cert); verifier.verify("localhost.localdomain", cert); - verifyExceptionEqual("local.host", cert, "DNS host \"local.host\" not found in certificate " - + "alt-names certificate SubjectAltNames[{\"localhost.localdomain\"|DNS},{\"localhost\"|DNS},{\"127.0.0.1\"|IP}]"); + verifyExceptionEqual("local.host", cert, "DNS host \"local.host\" doesn't correspond to certificate " + + "CN \"*.mariadb.org\" and SAN[{DNS:\"localhost.localdomain\"},{DNS:\"localhost\"},{IP:\"127.0.0.1\"}]"); verifier.verify("127.0.0.1", cert); - verifyExceptionEqual("127.0.0.2", cert, "No IPv4 corresponding to host \"127.0.0.2\" " - + "in certificate alt-names certificate SubjectAltNames[{\"localhost.localdomain\"|DNS},{\"localhost\"|DNS},{\"127.0.0.1\"|IP}]"); + verifyExceptionEqual("127.0.0.2", cert, "IPv4 host \"127.0.0.2\" doesn't correspond to certificate " + + "CN \"*.mariadb.org\" and SAN[{DNS:\"localhost.localdomain\"},{DNS:\"localhost\"},{IP:\"127.0.0.1\"}]"); } @Test public void wildcardsCannotMatchIpAddresses() throws Exception { @@ -332,7 +334,7 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce + "+EnURTvdjd2ZuY5QKvwlBQssqOHxDATg8pL6JmgnrvbYqh+FBpUN8sqwrXx6q8dz\n" + "aUH7ncQGgwZBAUIiQaKlb0QYpcyrMlGWNri+RFt+Goz5S3BxxobwfiaBoA==\n" + "-----END CERTIFICATE-----\n"); - verifyExceptionEqual("127.0.0.1", cert, "host \"127.0.0.1\" doesn't correspond to " + verifyExceptionEqual("127.0.0.1", cert, "IPv4 host \"127.0.0.1\" doesn't correspond to " + "certificate CN \"*.0.0.1\" : wildcards not possible for IPs"); } @@ -360,21 +362,21 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce + "Flo8jrfEOHRCrdYqXobC/YVuxk+1h+Q2Nu5mKzbc3XfpG1LGGZB98+FP\n" + "-----END CERTIFICATE-----\n"); - verifyExceptionEqual("other.org", cert, "DNS host \"other.org\" not found in certificate " - + "alt-names certificate SubjectAltNames[{\"*.other.org\"|DNS},{\"a*b.other2.com\"|DNS}]"); + verifyExceptionEqual("other.org", cert, "DNS host \"other.org\" doesn't correspond " + + "to certificate CN \"*.mariadb.org\" and SAN[{DNS:\"*.other.org\"},{DNS:\"a*b.other2.com\"}]"); verifier.verify("www.other.org", cert); - verifyExceptionEqual("other2.org", cert, "DNS host \"other2.org\" not found in certificate " - + "alt-names certificate SubjectAltNames[{\"*.other.org\"|DNS},{\"a*b.other2.com\"|DNS}]"); - verifyExceptionEqual("www.other2.org", cert, "DNS host \"www.other2.org\" not found in " - + "certificate alt-names certificate SubjectAltNames[{\"*.other.org\"|DNS},{\"a*b.other2.com\"|DNS}]"); + verifyExceptionEqual("other2.org", cert, "DNS host \"other2.org\" doesn't correspond " + + "to certificate CN \"*.mariadb.org\" and SAN[{DNS:\"*.other.org\"},{DNS:\"a*b.other2.com\"}]"); + verifyExceptionEqual("www.other2.org", cert, "DNS host \"www.other2.org\" doesn't correspond " + + "to certificate CN \"*.mariadb.org\" and SAN[{DNS:\"*.other.org\"},{DNS:\"a*b.other2.com\"}]"); verifier.verify("ab.other2.com", cert); verifier.verify("axxxxb.other2.com", cert); - verifyExceptionEqual("axxxxbc.other2.org", cert, "DNS host \"axxxxbc.other2.org\" not found " - + "in certificate alt-names certificate SubjectAltNames[{\"*.other.org\"|DNS},{\"a*b.other2.com\"|DNS}]"); - verifyExceptionEqual("caxxxxb.other2.org", cert, "DNS host \"caxxxxb.other2.org\" not found " - + "in certificate alt-names certificate SubjectAltNames[{\"*.other.org\"|DNS},{\"a*b.other2.com\"|DNS}]"); - verifyExceptionEqual("a.axxxxb.other2.org", cert, "DNS host \"a.axxxxb.other2.org\" not found " - + "in certificate alt-names certificate SubjectAltNames[{\"*.other.org\"|DNS},{\"a*b.other2.com\"|DNS}]"); + verifyExceptionEqual("axxxxbc.other2.org", cert, "DNS host \"axxxxbc.other2.org\" doesn't " + + "correspond to certificate CN \"*.mariadb.org\" and SAN[{DNS:\"*.other.org\"},{DNS:\"a*b.other2.com\"}]"); + verifyExceptionEqual("caxxxxb.other2.org", cert, "DNS host \"caxxxxb.other2.org\" doesn't " + + "correspond to certificate CN \"*.mariadb.org\" and SAN[{DNS:\"*.other.org\"},{DNS:\"a*b.other2.com\"}]"); + verifyExceptionEqual("a.axxxxb.other2.org", cert, "DNS host \"a.axxxxb.other2.org\" doesn't " + + "correspond to certificate CN \"*.mariadb.org\" and SAN[{DNS:\"*.other.org\"},{DNS:\"a*b.other2.com\"}]"); } }