hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roland Weber (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HTTPCLIENT-617) Hostname verification: turn off wildcards when CN is an IP address
Date Tue, 19 Dec 2006 19:07:22 GMT
    [ http://issues.apache.org/jira/browse/HTTPCLIENT-617?page=comments#action_12459728 ] 
            
Roland Weber commented on HTTPCLIENT-617:
-----------------------------------------

Hi Julius,

throwing an exception is generally a very expensive operation. Code that throws and catches
exceptions in the normal course of operations is _highly_ questionable. This is HttpClient
4.x, so the prerequisite is Java 1.4 which already supports regular expressions. If you have
to check a string for a format as simple as this, please use a precompiled regular expression.
If you're not familiar with the regexp format, I'll help you out.

cheers,
  Roland


> Hostname verification:  turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-617
>                 URL: http://issues.apache.org/jira/browse/HTTPCLIENT-617
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpConn
>    Affects Versions: Nightly Builds
>            Reporter: Julius Davies
>            Priority: Minor
>
> Hostname verification:   turn off wildcards when CN is an IP address.  This is a further
improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running it through
"Integer.parseInt()".  If the NumberFormatException isn't thrown (so Integer.parseInt() actually
worked!), then I'll turn off wildcard matching.  Notice that this won't be a problem with
IP6 addresses, since they don't use dots.  It's only a problem with IP4, where the meaning
of the dots clashes with dots in domain names.
> Note:  when I turn off wildcard matching, I still attempt an exact match with the hostname.
 If through some weird mechanism the client is actually able to use a hostname such as "https://*.114.102.2/",
then they will be okay if that's what the certificate on the server contains.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org


Mime
View raw message