cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Ribble (JIRA)" <>
Subject [jira] [Commented] (CXF-6762) DefaultHostnameVerifier fails for non-root wildcard SAN DNSName entries
Date Thu, 28 Jan 2016 00:46:39 GMT


Chris Ribble commented on CXF-6762:

I added 3.1.5-SNAPSHOT to my test cases's gradle build and verified that the issue does *not*
happen: I no longer need to define a custom DefaultHostnameVerifier instance to be able to
validate non-root wildcard hosts!


> DefaultHostnameVerifier fails for non-root wildcard SAN DNSName entries
> -----------------------------------------------------------------------
>                 Key: CXF-6762
>                 URL:
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, Transports
>    Affects Versions: 3.1.4
>            Reporter: Chris Ribble
>            Assignee: Colm O hEigeartaigh
>            Priority: Minor
>   Original Estimate: 48h
>  Remaining Estimate: 48h
> DefaultHostnameVerifier, which is used by default by the JAX-RS ClientBuilder implementation
in CXF (and which cannot be overridden without also overriding the SSLContext, due to CXF-6761)
improperly validates the request hostname against the DNSName values from the SAN section
of a certificate when matching wildcards.
> For example, the following works:
> Hostname = -> DNSName = *
> But the following does not:
> Hostname = -> DNSName = *
> The reason this fails is that the validation code erroneously assumes (in multiple places)
that wildcards only ever exist on the root domain.
> The logic should be improved to allow the wildcard to be used to replace 1 domain name
component or component fragment (comments in the code indicate that this is its purpose, but
it fails at this).

This message was sent by Atlassian JIRA

View raw message