cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Ribble (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6762) DefaultHostnameVerifier fails for non-root wildcard SAN DNSName entries
Date Thu, 28 Jan 2016 00:46:39 GMT

    [ https://issues.apache.org/jira/browse/CXF-6762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15120525#comment-15120525
] 

Chris Ribble commented on CXF-6762:
-----------------------------------

I added 3.1.5-SNAPSHOT to my test cases's gradle build and verified that the issue does *not*
happen: I no longer need to define a custom DefaultHostnameVerifier instance to be able to
validate non-root wildcard hosts!

Thanks!

> DefaultHostnameVerifier fails for non-root wildcard SAN DNSName entries
> -----------------------------------------------------------------------
>
>                 Key: CXF-6762
>                 URL: https://issues.apache.org/jira/browse/CXF-6762
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, Transports
>    Affects Versions: 3.1.4
>            Reporter: Chris Ribble
>            Assignee: Colm O hEigeartaigh
>            Priority: Minor
>   Original Estimate: 48h
>  Remaining Estimate: 48h
>
> DefaultHostnameVerifier, which is used by default by the JAX-RS ClientBuilder implementation
in CXF (and which cannot be overridden without also overriding the SSLContext, due to CXF-6761)
improperly validates the request hostname against the DNSName values from the SAN section
of a certificate when matching wildcards.
> For example, the following works:
> Hostname = my.test.com -> DNSName = *.test.com
> But the following does not:
> Hostname = 1.my.test.com -> DNSName = *.my.test.com
> The reason this fails is that the validation code erroneously assumes (in multiple places)
that wildcards only ever exist on the root domain.
> The logic should be improved to allow the wildcard to be used to replace 1 domain name
component or component fragment (comments in the code indicate that this is its purpose, but
it fails at this).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message