directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Fisher (Commented) (JIRA)" <>
Subject [jira] [Commented] (DIRAPI-69) startTLS hostname verification
Date Tue, 31 Jan 2012 20:58:10 GMT


Daniel Fisher commented on DIRAPI-69:

I was able to get the functionality I wanted with the current API (M9). Namely, I wanted both
the default certificate trust manager and a hostname verification trust manager. Configuring
multiple trust managers is made more difficult due to the fact that SSLContext#init() accepts
an array, but only uses the first entry in the array. So in addition to coding a custom trust
manager you also have to code a trust manager that effectively wraps and delegates to all
the trust managers you want to use. Nevertheless, it's possible so you can resolve this issue.

I do think it's worth noting that no hostname verification occurs by default for startTLS
and this is a violation of RFC 2830 section 3.6. You may want to consider adding a trust manager
to conform.

> startTLS hostname verification
> ------------------------------
>                 Key: DIRAPI-69
>                 URL:
>             Project: Directory Client API
>          Issue Type: Improvement
>            Reporter: Daniel Fisher
> The current API does not have any features for controlling hostname verification. In
addition, it appears that *no* hostname verification occurs by default. See RFC 2830 section

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message