Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance CertificateException message when throw due hostname validation #13381

Merged
merged 3 commits into from Jul 19, 2023
Merged

Enhance CertificateException message when throw due hostname validation #13381

merged 3 commits into from Jul 19, 2023

Conversation

normanmaurer
Copy link
Member

Motivation:

It is hard for end-user to understand why the hostname validation failed. Let's try to help them by including the SubjectAlternativeNames if there are any.

Modifications:

  • Wrap the X509ExtendedTrustManager and so be able to catch the CertificateException and add more details if needed
  • Add unit test

Result:

Easier to debug hostname validation problems

@normanmaurer normanmaurer added this to the 4.1.93.Final milestone May 15, 2023
idelpivnitskiy
idelpivnitskiy reviewed May 24, 2023
View reviewed changes
Copy link
Member

@idelpivnitskiy idelpivnitskiy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked at HostnameChecker.matchDNS impl in JDK11 and found a few more things:

handler/src/main/java/io/netty/handler/ssl/EnhancingX509ExtendedTrustManager.java Outdated Show resolved Hide resolved
handler/src/main/java/io/netty/handler/ssl/EnhancingX509ExtendedTrustManager.java Outdated Show resolved Hide resolved
handler/src/main/java/io/netty/handler/ssl/EnhancingX509ExtendedTrustManager.java Show resolved Hide resolved
@normanmaurer
Enhance CertificateException message when throw due hostname validation
7db5e44 
Motivation:

It is hard for end-user to understand why the hostname validation failed. Let's try to help them by including the SubjectAlternativeNames if there are any.

Modifications:

- Wrap the X509ExtendedTrustManager and so be able to catch the CertificateException and add more details if needed
- Add unit test

Result:

Easier to debug hostname validation problems
@normanmaurer
Address feedback
08eb636
@normanmaurer
Address comments
4b30188
idelpivnitskiy
idelpivnitskiy approved these changes Jul 19, 2023
View reviewed changes
Copy link
Member

@idelpivnitskiy idelpivnitskiy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

handler/src/main/java/io/netty/handler/ssl/EnhancingX509ExtendedTrustManager.java Show resolved Hide resolved
@normanmaurer normanmaurer merged commit 22378d8 into 4.1 Jul 19, 2023
14 checks passed
@normanmaurer normanmaurer deleted the cert_exception branch July 19, 2023 17:15
normanmaurer added a commit that referenced this pull request Jul 19, 2023
@normanmaurer
Enhance CertificateException message when throw due hostname validati…
4d50958 
…on (#13381)

Motivation:

It is hard for end-user to understand why the hostname validation
failed. Let's try to help them by including the SubjectAlternativeNames
if there are any.

Modifications:

- Wrap the X509ExtendedTrustManager and so be able to catch the
CertificateException and add more details if needed
- Add unit test

Result:

Easier to debug hostname validation problems
@brian-dellisanti-hcl brian-dellisanti-hcl mentioned this pull request Feb 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@idelpivnitskiy idelpivnitskiy idelpivnitskiy approved these changes

@trustin trustin Awaiting requested review from trustin

@chrisvest chrisvest Awaiting requested review from chrisvest

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.1.95.Final
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@normanmaurer @idelpivnitskiy