cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Ribble (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-6762) DefaultHostnameVerifier fails for non-root wildcard SAN DNSName entries
Date Wed, 27 Jan 2016 01:49:39 GMT
Chris Ribble created CXF-6762:
---------------------------------

             Summary: DefaultHostnameVerifier fails for non-root wildcard SAN DNSName entries
                 Key: CXF-6762
                 URL: https://issues.apache.org/jira/browse/CXF-6762
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS, Transports
    Affects Versions: 3.1.4
            Reporter: Chris Ribble
            Priority: Minor


DefaultHostnameVerifier, which is used by default by the JAX-RS ClientBuilder implementation
in CXF (and which cannot be overridden without also overriding the SSLContext, due to CXF-6761)
improperly validates the request hostname against the DNSName values from the SAN section
of a certificate when matching wildcards.

For example, the following works:
Hostname = my.test.com -> DNSName = *.test.com

But the following does not:
Hostname = 1.my.test.com -> DNSName = *.my.test.com

The reason this fails is that the validation code erroneously assumes (in multiple places)
that wildcards only ever exist on the root domain.

The logic should be improved to allow the wildcard to be used to replace 1 domain name component
or component fragment (comments in the code indicate that this is its purpose, but it fails
at this).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message