hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roland Weber (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HTTPCLIENT-617) Hostname verification: turn off wildcards when CN is an IP address
Date Tue, 19 Dec 2006 19:33:24 GMT
    [ http://issues.apache.org/jira/browse/HTTPCLIENT-617?page=comments#action_12459735 ] 
            
Roland Weber commented on HTTPCLIENT-617:
-----------------------------------------

Hi Julius,

I'm not sure that an IP address is allowed to have anything but US-ASCII digits 0-9. And instead
of hand-parsing, you could just use a precompiled regular expression... ;-) The "precompiled"
is important here. If it's not precompiled, hand-parsing will definitely be more efficient.

cheers,
  Roland


> Hostname verification:  turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-617
>                 URL: http://issues.apache.org/jira/browse/HTTPCLIENT-617
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpConn
>    Affects Versions: Nightly Builds
>            Reporter: Julius Davies
>            Priority: Minor
>
> Hostname verification:   turn off wildcards when CN is an IP address.  This is a further
improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running it through
"Integer.parseInt()".  If the NumberFormatException isn't thrown (so Integer.parseInt() actually
worked!), then I'll turn off wildcard matching.  Notice that this won't be a problem with
IP6 addresses, since they don't use dots.  It's only a problem with IP4, where the meaning
of the dots clashes with dots in domain names.
> Note:  when I turn off wildcard matching, I still attempt an exact match with the hostname.
 If through some weird mechanism the client is actually able to use a hostname such as "https://*.114.102.2/",
then they will be okay if that's what the certificate on the server contains.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org


Mime
View raw message