cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Ribble (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-6762) DefaultHostnameVerifier fails for non-root wildcard SAN DNSName entries
Date Wed, 27 Jan 2016 01:50:39 GMT

     [ https://issues.apache.org/jira/browse/CXF-6762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Chris Ribble updated CXF-6762:
------------------------------
    Remaining Estimate: 48h  (was: 24h)
     Original Estimate: 48h  (was: 24h)

> DefaultHostnameVerifier fails for non-root wildcard SAN DNSName entries
> -----------------------------------------------------------------------
>
>                 Key: CXF-6762
>                 URL: https://issues.apache.org/jira/browse/CXF-6762
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, Transports
>    Affects Versions: 3.1.4
>            Reporter: Chris Ribble
>            Priority: Minor
>   Original Estimate: 48h
>  Remaining Estimate: 48h
>
> DefaultHostnameVerifier, which is used by default by the JAX-RS ClientBuilder implementation
in CXF (and which cannot be overridden without also overriding the SSLContext, due to CXF-6761)
improperly validates the request hostname against the DNSName values from the SAN section
of a certificate when matching wildcards.
> For example, the following works:
> Hostname = my.test.com -> DNSName = *.test.com
> But the following does not:
> Hostname = 1.my.test.com -> DNSName = *.my.test.com
> The reason this fails is that the validation code erroneously assumes (in multiple places)
that wildcards only ever exist on the root domain.
> The logic should be improved to allow the wildcard to be used to replace 1 domain name
component or component fragment (comments in the code indicate that this is its purpose, but
it fails at this).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message