cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Akitoshi Yoshida (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6143) SSL/TLS hostname verification does not strictly follow HTTPS RFC2818
Date Mon, 19 Jan 2015 16:04:41 GMT

    [ https://issues.apache.org/jira/browse/CXF-6143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14282628#comment-14282628
] 

Akitoshi Yoshida commented on CXF-6143:
---------------------------------------

I noticed a few things with this change.

First, about the internet access during the build.
Now the build needs an internet access to fetch 
https://publicsuffix.org/list/effective_tld_names.dat
and this file is stored in /mozilla/public-suffix-list.txt in the classpath.
Can we locally include this file so that the build works without an internet connection?

Second, this file doesn't seem to be currently included in the target jar file (because this
is a plain text file in a folder that contains no class files).
Shouldn't this file be included?



> SSL/TLS hostname verification does not strictly follow HTTPS RFC2818
> --------------------------------------------------------------------
>
>                 Key: CXF-6143
>                 URL: https://issues.apache.org/jira/browse/CXF-6143
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 3.0.2
>            Reporter: Chad Loder
>            Assignee: Colm O hEigeartaigh
>              Labels: security,, ssl
>             Fix For: 3.0.4, 2.7.15
>
>
> The HTTPS specification [RFC 2818, section 3.1|http://tools.ietf.org/html/rfc2818#section-3.1]
states:
> {quote}
>    If a subjectAltName extension of type dNSName is present, that MUST
>    be used as the identity. Otherwise, the (most specific) Common Name
>    field in the Subject field of the certificate MUST be used. Although
>    the use of the Common Name is existing practice, it is deprecated and
>    Certification Authorities are encouraged to use the dNSName instead.
> {quote}
> The current [CertificateHostnameVerifier|https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertificateHostnameVerifier.java]
implementation in CXF does not follow this logic, even in STRICT mode. Instead, it builds
an array of both CNs and subjectAltNames and checks each of them sequentially, in the order
returned in the certificate.
> The proper approach would be to build a list of subjectAltNames having type dNSName.
If the list is non-empty, matching should proceed against this list ONLY - and validation
should fail if no subjectAltName matches. Otherwise, only if the subjectAltName list is empty,
a list of CNs from the Subject field should be built, and perhaps sorted from most- to least-specific.
A match should then proceed against this list, taking into account wildcards of course.
> Likewise, the [HostnameVerifier implementation in not-yet-commons-ssl|http://juliusdavies.ca/svn/viewvc.cgi/not-yet-commons-ssl/trunk/src/java/org/apache/commons/ssl/HostnameVerifier.java?revision=121&pathrev=172]
has the same issue. However, since not-yet-commons-ssl is a generic SSL/TLS transport library,
it should not be made to follow HTTPS application layer rules for all TLS connections - instead
a STRICT_HTTPS mode could be implemented for this purpose.
> For more information, see http://tools.ietf.org/search/rfc6125 (for future reference
and background on where implementations are going) and http://tersesystems.com/2014/03/23/fixing-hostname-verification/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message