cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Ribble (JIRA)" <>
Subject [jira] [Updated] (CXF-6762) DefaultHostnameVerifier fails for non-root wildcard SAN DNSName entries
Date Wed, 27 Jan 2016 01:50:39 GMT


Chris Ribble updated CXF-6762:
    Remaining Estimate: 48h  (was: 24h)
     Original Estimate: 48h  (was: 24h)

> DefaultHostnameVerifier fails for non-root wildcard SAN DNSName entries
> -----------------------------------------------------------------------
>                 Key: CXF-6762
>                 URL:
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, Transports
>    Affects Versions: 3.1.4
>            Reporter: Chris Ribble
>            Priority: Minor
>   Original Estimate: 48h
>  Remaining Estimate: 48h
> DefaultHostnameVerifier, which is used by default by the JAX-RS ClientBuilder implementation
in CXF (and which cannot be overridden without also overriding the SSLContext, due to CXF-6761)
improperly validates the request hostname against the DNSName values from the SAN section
of a certificate when matching wildcards.
> For example, the following works:
> Hostname = -> DNSName = *
> But the following does not:
> Hostname = -> DNSName = *
> The reason this fails is that the validation code erroneously assumes (in multiple places)
that wildcards only ever exist on the root domain.
> The logic should be improved to allow the wildcard to be used to replace 1 domain name
component or component fragment (comments in the code indicate that this is its purpose, but
it fails at this).

This message was sent by Atlassian JIRA

View raw message