directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Fisher (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRAPI-72) Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6
Date Fri, 11 May 2012 15:48:50 GMT

    [ https://issues.apache.org/jira/browse/DIRAPI-72?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13273371#comment-13273371
] 

Daniel Fisher commented on DIRAPI-72:
-------------------------------------

I have an implementation that performs hostname verification like JNDI does for startTLS.
However it may be more than what you want.

Here is the trust manager: http://code.google.com/p/vt-middleware/source/browse/ldaptive/core/trunk/src/main/java/org/ldaptive/ssl/HostnameVerifyingTrustManager.java
It delegates to a hostname verifier: http://code.google.com/p/vt-middleware/source/browse/ldaptive/core/trunk/src/main/java/org/ldaptive/ssl/CertificateHostnameVerifier.java
And I provide a default hostname verifier here: http://code.google.com/p/vt-middleware/source/browse/ldaptive/core/trunk/src/main/java/org/ldaptive/ssl/DefaultHostnameVerifier.java
Which is where the real work is done.
On top of all that, clients are going to want hostname verification *in addition* to the standard
trust manager used in the SSL handshake.
Which means you need a class like this: http://code.google.com/p/vt-middleware/source/browse/ldaptive/core/trunk/src/main/java/org/ldaptive/ssl/AggregateTrustManager.java
configured with the standard trust manager plus the hostname verifier.

Using trust managers for hostname verification isn't particularly clean, but it does work.
If you're interested in me contributing this code or something like it, just let me know.
I don't think you'll be able to get away from something like the aggregate trust manager,
but other classes could be simplified at the cost of some flexibility.

                
> Provide a default TrustManager for hostname verification to comply with RFC 2830 Section
3.6
> --------------------------------------------------------------------------------------------
>
>                 Key: DIRAPI-72
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-72
>             Project: Directory Client API
>          Issue Type: Improvement
>    Affects Versions: 1.0.0-M9
>            Reporter: Pierre-Arnaud Marcelot
>            Assignee: Pierre-Arnaud Marcelot
>             Fix For: 1.0.0-M12
>
>
> Provide a default TrustManager for hostname verification to comply with RFC 2830 Section
3.6.
> See DIRAPI-69 (startTLS hostname verification) for more background information.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message