hc-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ol...@apache.org
Subject svn commit: r1600132 - in /httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl: AbstractBaseHostnameVerifier.java AbstractCommonHostnameVerifier.java AbstractVerifier.java
Date Wed, 04 Jun 2014 12:12:59 GMT
Author: olegk
Date: Wed Jun  4 12:12:59 2014
New Revision: 1600132

URL: http://svn.apache.org/r1600132
Log:
HTTPCLIENT-1449: split AbstractVerifier into AbstractBaseHostnameVerifier and AbstractCommonHostnameVerifier
the former implementing cert extraction logic while the latter implementing CN and SubjectAlts
extraction and validation logic

Added:
    httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractBaseHostnameVerifier.java
  (with props)
    httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractCommonHostnameVerifier.java
      - copied, changed from r1599798, httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
Modified:
    httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java

Added: httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractBaseHostnameVerifier.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractBaseHostnameVerifier.java?rev=1600132&view=auto
==============================================================================
--- httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractBaseHostnameVerifier.java
(added)
+++ httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractBaseHostnameVerifier.java
Wed Jun  4 12:12:59 2014
@@ -0,0 +1,114 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.conn.ssl;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+
+import org.apache.http.annotation.Immutable;
+
+/**
+ * Abstract base class for all standard {@link org.apache.http.conn.ssl.X509HostnameVerifier}
+ * implementations that provides common methods extracting
+ * {@link java.security.cert.X509Certificate} instance to be verified from either
+ * {@link javax.net.ssl.SSLSocket} or {@link javax.net.ssl.SSLSession}.
+ *
+ * @since 4.4
+ */
+@Immutable
+public abstract class AbstractBaseHostnameVerifier implements X509HostnameVerifier {
+
+    @Override
+    public final void verify(final String host, final SSLSocket ssl)
+          throws IOException {
+        if(host == null) {
+            throw new NullPointerException("host to verify is null");
+        }
+
+        SSLSession session = ssl.getSession();
+        if(session == null) {
+            // In our experience this only happens under IBM 1.4.x when
+            // spurious (unrelated) certificates show up in the server'
+            // chain.  Hopefully this will unearth the real problem:
+            final InputStream in = ssl.getInputStream();
+            in.available();
+            /*
+              If you're looking at the 2 lines of code above because
+              you're running into a problem, you probably have two
+              options:
+
+                #1.  Clean up the certificate chain that your server
+                     is presenting (e.g. edit "/etc/apache2/server.crt"
+                     or wherever it is your server's certificate chain
+                     is defined).
+
+                                           OR
+
+                #2.   Upgrade to an IBM 1.5.x or greater JVM, or switch
+                      to a non-IBM JVM.
+            */
+
+            // If ssl.getInputStream().available() didn't cause an
+            // exception, maybe at least now the session is available?
+            session = ssl.getSession();
+            if(session == null) {
+                // If it's still null, probably a startHandshake() will
+                // unearth the real problem.
+                ssl.startHandshake();
+
+                // Okay, if we still haven't managed to cause an exception,
+                // might as well go for the NPE.  Or maybe we're okay now?
+                session = ssl.getSession();
+            }
+        }
+
+        final Certificate[] certs = session.getPeerCertificates();
+        final X509Certificate x509 = (X509Certificate) certs[0];
+        verify(host, x509);
+    }
+
+    @Override
+    public final boolean verify(final String host, final SSLSession session) {
+        try {
+            final Certificate[] certs = session.getPeerCertificates();
+            final X509Certificate x509 = (X509Certificate) certs[0];
+            verify(host, x509);
+            return true;
+        }
+        catch(final SSLException e) {
+            return false;
+        }
+    }
+
+}

Propchange: httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractBaseHostnameVerifier.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractBaseHostnameVerifier.java
------------------------------------------------------------------------------
    svn:keywords = Date Revision

Propchange: httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractBaseHostnameVerifier.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Copied: httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractCommonHostnameVerifier.java
(from r1599798, httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java)
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractCommonHostnameVerifier.java?p2=httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractCommonHostnameVerifier.java&p1=httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java&r1=1599798&r2=1600132&rev=1600132&view=diff
==============================================================================
--- httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
(original)
+++ httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractCommonHostnameVerifier.java
Wed Jun  4 12:12:59 2014
@@ -27,11 +27,8 @@
 
 package org.apache.http.conn.ssl;
 
-import java.io.IOException;
-import java.io.InputStream;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
-import java.security.cert.Certificate;
 import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
@@ -43,8 +40,6 @@ import java.util.Locale;
 import java.util.StringTokenizer;
 
 import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSocket;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -52,13 +47,17 @@ import org.apache.http.annotation.Immuta
 import org.apache.http.conn.util.InetAddressUtils;
 
 /**
- * Abstract base class for all standard {@link X509HostnameVerifier}
- * implementations.
+ /**
+ * Abstract base class for all standard {@link org.apache.http.conn.ssl.X509HostnameVerifier}
+ * implementations that provides methods to extract Common Name (CN) and alternative subjects
+ * (subjectAlt) from {@link java.security.cert.X509Certificate} being validated as well
+ * as {@link #verify(String, String[], String[], boolean)} method that implements common
+ * certificate subject validation logic.
  *
- * @since 4.0
+ * @since 4.4
  */
 @Immutable
-public abstract class AbstractVerifier implements X509HostnameVerifier {
+public abstract class AbstractCommonHostnameVerifier extends AbstractBaseHostnameVerifier
{
 
     /**
      * This contains a list of 2nd-level domains that aren't allowed to
@@ -81,72 +80,6 @@ public abstract class AbstractVerifier i
 
     private final Log log = LogFactory.getLog(getClass());
 
-    public AbstractVerifier() {
-        super();
-    }
-
-    @Override
-    public final void verify(final String host, final SSLSocket ssl)
-          throws IOException {
-        if(host == null) {
-            throw new NullPointerException("host to verify is null");
-        }
-
-        SSLSession session = ssl.getSession();
-        if(session == null) {
-            // In our experience this only happens under IBM 1.4.x when
-            // spurious (unrelated) certificates show up in the server'
-            // chain.  Hopefully this will unearth the real problem:
-            final InputStream in = ssl.getInputStream();
-            in.available();
-            /*
-              If you're looking at the 2 lines of code above because
-              you're running into a problem, you probably have two
-              options:
-
-                #1.  Clean up the certificate chain that your server
-                     is presenting (e.g. edit "/etc/apache2/server.crt"
-                     or wherever it is your server's certificate chain
-                     is defined).
-
-                                           OR
-
-                #2.   Upgrade to an IBM 1.5.x or greater JVM, or switch
-                      to a non-IBM JVM.
-            */
-
-            // If ssl.getInputStream().available() didn't cause an
-            // exception, maybe at least now the session is available?
-            session = ssl.getSession();
-            if(session == null) {
-                // If it's still null, probably a startHandshake() will
-                // unearth the real problem.
-                ssl.startHandshake();
-
-                // Okay, if we still haven't managed to cause an exception,
-                // might as well go for the NPE.  Or maybe we're okay now?
-                session = ssl.getSession();
-            }
-        }
-
-        final Certificate[] certs = session.getPeerCertificates();
-        final X509Certificate x509 = (X509Certificate) certs[0];
-        verify(host, x509);
-    }
-
-    @Override
-    public final boolean verify(final String host, final SSLSession session) {
-        try {
-            final Certificate[] certs = session.getPeerCertificates();
-            final X509Certificate x509 = (X509Certificate) certs[0];
-            verify(host, x509);
-            return true;
-        }
-        catch(final SSLException e) {
-            return false;
-        }
-    }
-
     @Override
     public final void verify(final String host, final X509Certificate cert)
           throws SSLException {

Modified: httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java?rev=1600132&r1=1600131&r2=1600132&view=diff
==============================================================================
--- httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
(original)
+++ httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
Wed Jun  4 12:12:59 2014
@@ -27,373 +27,16 @@
 
 package org.apache.http.conn.ssl;
 
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateParsingException;
-import java.security.cert.X509Certificate;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Locale;
-import java.util.StringTokenizer;
-
-import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSocket;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.http.annotation.Immutable;
-import org.apache.http.conn.util.InetAddressUtils;
-
 /**
  * Abstract base class for all standard {@link X509HostnameVerifier}
  * implementations.
  *
  * @since 4.0
+ *
+ * @deprecated (4.4) use {@link AbstractBaseHostnameVerifier} or
+ *  {@link org.apache.http.conn.ssl.AbstractCommonHostnameVerifier}
  */
-@Immutable
-public abstract class AbstractVerifier implements X509HostnameVerifier {
-
-    /**
-     * This contains a list of 2nd-level domains that aren't allowed to
-     * have wildcards when combined with country-codes.
-     * For example: [*.co.uk].
-     * <p/>
-     * The [*.co.uk] problem is an interesting one.  Should we just hope
-     * that CA's would never foolishly allow such a certificate to happen?
-     * Looks like we're the only implementation guarding against this.
-     * Firefox, Curl, Sun Java 1.4, 5, 6 don't bother with this check.
-     */
-    private final static String[] BAD_COUNTRY_2LDS =
-          { "ac", "co", "com", "ed", "edu", "go", "gouv", "gov", "info",
-            "lg", "ne", "net", "or", "org" };
-
-    static {
-        // Just in case developer forgot to manually sort the array.  :-)
-        Arrays.sort(BAD_COUNTRY_2LDS);
-    }
-
-    private final Log log = LogFactory.getLog(getClass());
-
-    public AbstractVerifier() {
-        super();
-    }
-
-    @Override
-    public final void verify(final String host, final SSLSocket ssl)
-          throws IOException {
-        if(host == null) {
-            throw new NullPointerException("host to verify is null");
-        }
-
-        SSLSession session = ssl.getSession();
-        if(session == null) {
-            // In our experience this only happens under IBM 1.4.x when
-            // spurious (unrelated) certificates show up in the server'
-            // chain.  Hopefully this will unearth the real problem:
-            final InputStream in = ssl.getInputStream();
-            in.available();
-            /*
-              If you're looking at the 2 lines of code above because
-              you're running into a problem, you probably have two
-              options:
-
-                #1.  Clean up the certificate chain that your server
-                     is presenting (e.g. edit "/etc/apache2/server.crt"
-                     or wherever it is your server's certificate chain
-                     is defined).
-
-                                           OR
-
-                #2.   Upgrade to an IBM 1.5.x or greater JVM, or switch
-                      to a non-IBM JVM.
-            */
-
-            // If ssl.getInputStream().available() didn't cause an
-            // exception, maybe at least now the session is available?
-            session = ssl.getSession();
-            if(session == null) {
-                // If it's still null, probably a startHandshake() will
-                // unearth the real problem.
-                ssl.startHandshake();
-
-                // Okay, if we still haven't managed to cause an exception,
-                // might as well go for the NPE.  Or maybe we're okay now?
-                session = ssl.getSession();
-            }
-        }
-
-        final Certificate[] certs = session.getPeerCertificates();
-        final X509Certificate x509 = (X509Certificate) certs[0];
-        verify(host, x509);
-    }
-
-    @Override
-    public final boolean verify(final String host, final SSLSession session) {
-        try {
-            final Certificate[] certs = session.getPeerCertificates();
-            final X509Certificate x509 = (X509Certificate) certs[0];
-            verify(host, x509);
-            return true;
-        }
-        catch(final SSLException e) {
-            return false;
-        }
-    }
-
-    @Override
-    public final void verify(final String host, final X509Certificate cert)
-          throws SSLException {
-        final String[] cns = getCNs(cert);
-        final String[] subjectAlts = getSubjectAlts(cert, host);
-        verify(host, cns, subjectAlts);
-    }
-
-    public final void verify(final String host, final String[] cns,
-                             final String[] subjectAlts,
-                             final boolean strictWithSubDomains)
-          throws SSLException {
-
-        // Build the list of names we're going to check.  Our DEFAULT and
-        // STRICT implementations of the HostnameVerifier only use the
-        // first CN provided.  All other CNs are ignored.
-        // (Firefox, wget, curl, Sun Java 1.4, 5, 6 all work this way).
-        final LinkedList<String> names = new LinkedList<String>();
-        if(cns != null && cns.length > 0 && cns[0] != null) {
-            names.add(cns[0]);
-        }
-        if(subjectAlts != null) {
-            for (final String subjectAlt : subjectAlts) {
-                if (subjectAlt != null) {
-                    names.add(subjectAlt);
-                }
-            }
-        }
-
-        if(names.isEmpty()) {
-            final String msg = "Certificate for <" + host + "> doesn't contain CN or
DNS subjectAlt";
-            throw new SSLException(msg);
-        }
-
-        // StringBuilder for building the error message.
-        final StringBuilder buf = new StringBuilder();
-
-        // We're can be case-insensitive when comparing the host we used to
-        // establish the socket to the hostname in the certificate.
-        final String hostName = normaliseIPv6Address(host.trim().toLowerCase(Locale.ROOT));
-        boolean match = false;
-        for(final Iterator<String> it = names.iterator(); it.hasNext();) {
-            // Don't trim the CN, though!
-            String cn = it.next();
-            cn = cn.toLowerCase(Locale.ROOT);
-            // Store CN in StringBuilder in case we need to report an error.
-            buf.append(" <");
-            buf.append(cn);
-            buf.append('>');
-            if(it.hasNext()) {
-                buf.append(" OR");
-            }
-
-            // The CN better have at least two dots if it wants wildcard
-            // action.  It also can't be [*.co.uk] or [*.co.jp] or
-            // [*.org.uk], etc...
-            final String parts[] = cn.split("\\.");
-            final boolean doWildcard =
-                    parts.length >= 3 && parts[0].endsWith("*") &&
-                    validCountryWildcard(cn) && !isIPAddress(host);
-
-            if(doWildcard) {
-                final String firstpart = parts[0];
-                if (firstpart.length() > 1) { // e.g. server*
-                    final String prefix = firstpart.substring(0, firstpart.length() - 1);
// e.g. server
-                    final String suffix = cn.substring(firstpart.length()); // skip wildcard
part from cn
-                    final String hostSuffix = hostName.substring(prefix.length()); // skip
wildcard part from host
-                    match = hostName.startsWith(prefix) && hostSuffix.endsWith(suffix);
-                } else {
-                    match = hostName.endsWith(cn.substring(1));
-                }
-                if(match && strictWithSubDomains) {
-                    // If we're in strict mode, then [*.foo.com] is not
-                    // allowed to match [a.b.foo.com]
-                    match = countDots(hostName) == countDots(cn);
-                }
-            } else {
-                match = hostName.equals(normaliseIPv6Address(cn));
-            }
-            if(match) {
-                break;
-            }
-        }
-        if(!match) {
-            throw new SSLException("hostname in certificate didn't match: <" + host +
"> !=" + buf);
-        }
-    }
-
-    /**
-     * @deprecated (4.3.1) should not be a part of public APIs.
-     */
-    @Deprecated
-    public static boolean acceptableCountryWildcard(final String cn) {
-        final String parts[] = cn.split("\\.");
-        if (parts.length != 3 || parts[2].length() != 2) {
-            return true; // it's not an attempt to wildcard a 2TLD within a country code
-        }
-        return Arrays.binarySearch(BAD_COUNTRY_2LDS, parts[1]) < 0;
-    }
-
-    boolean validCountryWildcard(final String cn) {
-        final String parts[] = cn.split("\\.");
-        if (parts.length != 3 || parts[2].length() != 2) {
-            return true; // it's not an attempt to wildcard a 2TLD within a country code
-        }
-        return Arrays.binarySearch(BAD_COUNTRY_2LDS, parts[1]) < 0;
-    }
-
-    public static String[] getCNs(final X509Certificate cert) {
-        final LinkedList<String> cnList = new LinkedList<String>();
-        /*
-          Sebastian Hauer's original StrictSSLProtocolSocketFactory used
-          getName() and had the following comment:
-
-                Parses a X.500 distinguished name for the value of the
-                "Common Name" field.  This is done a bit sloppy right
-                 now and should probably be done a bit more according to
-                <code>RFC 2253</code>.
-
-           I've noticed that toString() seems to do a better job than
-           getName() on these X500Principal objects, so I'm hoping that
-           addresses Sebastian's concern.
-
-           For example, getName() gives me this:
-           1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
-
-           whereas toString() gives me this:
-           EMAILADDRESS=juliusdavies@cucbc.com
-
-           Looks like toString() even works with non-ascii domain names!
-           I tested it with "&#x82b1;&#x5b50;.co.jp" and it worked fine.
-        */
-
-        final String subjectPrincipal = cert.getSubjectX500Principal().toString();
-        final StringTokenizer st = new StringTokenizer(subjectPrincipal, ",+");
-        while(st.hasMoreTokens()) {
-            final String tok = st.nextToken().trim();
-            if (tok.length() > 3) {
-                if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
-                    cnList.add(tok.substring(3));
-                }
-            }
-        }
-        if(!cnList.isEmpty()) {
-            final String[] cns = new String[cnList.size()];
-            cnList.toArray(cns);
-            return cns;
-        } else {
-            return null;
-        }
-    }
-
-    /**
-     * Extracts the array of SubjectAlt DNS or IP names from an X509Certificate.
-     * Returns null if there aren't any.
-     *
-     * @param cert X509Certificate
-     * @param hostname
-     * @return Array of SubjectALT DNS or IP names stored in the certificate.
-     */
-    private static String[] getSubjectAlts(
-            final X509Certificate cert, final String hostname) {
-        final int subjectType;
-        if (isIPAddress(hostname)) {
-            subjectType = 7;
-        } else {
-            subjectType = 2;
-        }
-
-        final LinkedList<String> subjectAltList = new LinkedList<String>();
-        Collection<List<?>> c = null;
-        try {
-            c = cert.getSubjectAlternativeNames();
-        }
-        catch(final CertificateParsingException cpe) {
-        }
-        if(c != null) {
-            for (final List<?> aC : c) {
-                final List<?> list = aC;
-                final int type = ((Integer) list.get(0)).intValue();
-                if (type == subjectType) {
-                    final String s = (String) list.get(1);
-                    subjectAltList.add(s);
-                }
-            }
-        }
-        if(!subjectAltList.isEmpty()) {
-            final String[] subjectAlts = new String[subjectAltList.size()];
-            subjectAltList.toArray(subjectAlts);
-            return subjectAlts;
-        } else {
-            return null;
-        }
-    }
-
-    /**
-     * Extracts the array of SubjectAlt DNS names from an X509Certificate.
-     * Returns null if there aren't any.
-     * <p/>
-     * Note:  Java doesn't appear able to extract international characters
-     * from the SubjectAlts.  It can only extract international characters
-     * from the CN field.
-     * <p/>
-     * (Or maybe the version of OpenSSL I'm using to test isn't storing the
-     * international characters correctly in the SubjectAlts?).
-     *
-     * @param cert X509Certificate
-     * @return Array of SubjectALT DNS names stored in the certificate.
-     */
-    public static String[] getDNSSubjectAlts(final X509Certificate cert) {
-        return getSubjectAlts(cert, null);
-    }
-
-    /**
-     * Counts the number of dots "." in a string.
-     * @param s  string to count dots from
-     * @return  number of dots
-     */
-    public static int countDots(final String s) {
-        int count = 0;
-        for(int i = 0; i < s.length(); i++) {
-            if(s.charAt(i) == '.') {
-                count++;
-            }
-        }
-        return count;
-    }
-
-    private static boolean isIPAddress(final String hostname) {
-        return hostname != null &&
-            (InetAddressUtils.isIPv4Address(hostname) ||
-                    InetAddressUtils.isIPv6Address(hostname));
-    }
+@Deprecated
+public abstract class AbstractVerifier extends AbstractCommonHostnameVerifier {
 
-    /*
-     * Check if hostname is IPv6, and if so, convert to standard format.
-     */
-    private String normaliseIPv6Address(final String hostname) {
-        if (hostname == null || !InetAddressUtils.isIPv6Address(hostname)) {
-            return hostname;
-        }
-        try {
-            final InetAddress inetAddress = InetAddress.getByName(hostname);
-            return inetAddress.getHostAddress();
-        } catch (final UnknownHostException uhe) { // Should not happen, because we check
for IPv6 address above
-            log.error("Unexpected error converting "+hostname, uhe);
-            return hostname;
-        }
-    }
 }



Mime
View raw message