hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julius Davies (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HTTPCLIENT-614) allow different strategies when checking CN of x509 cert
Date Mon, 11 Dec 2006 19:20:26 GMT
    [ http://issues.apache.org/jira/browse/HTTPCLIENT-614?page=comments#action_12457447 ] 
Julius Davies commented on HTTPCLIENT-614:

Trying out a pluggable implementation.

If anyone is interested in seeing where I'm currently at:


Of note:

New interface:

It actually extends the javax.net.ssl one (http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/HostnameVerifier.html).
 But I don't expect our SSLSocketFactory to use that API.  I'm just including that as a comforting
"things seem familiar" door-knob/hand-rail.

Of note, I'm actually sticking the implementation directly inside this interface as anonymous-inner-classes.
 Defining the following:

HostnameVerifier.DEFAULT  (mimics curl and firefox)
HostnameVerifier.STRICT  (mimics java.net.URL, and very close to IE6)
HostnameVerifier.ALLOW_ALL  (turns off hostname verification)

IIRC, anonymous inner-classes only showed up in Java 1.3.x so this would be inappropriate
for Httpclient 3.x (which supports Java 1.2.x).

Now I'm just working on unit tests before I create the patch....

> allow different strategies when checking CN of x509 cert
> --------------------------------------------------------
>                 Key: HTTPCLIENT-614
>                 URL: http://issues.apache.org/jira/browse/HTTPCLIENT-614
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpConn
>    Affects Versions: Nightly Builds
>            Reporter: Julius Davies
>             Fix For: 4.0 Alpha 1
> We're now doing a decent job for checking the CN of the x509 cert with https:
> http://issues.apache.org/jira/browse/HTTPCLIENT-613
> I think the patch for HTTPCLIENT-613 should cover 99.9% of the users out there.  But
there are some more esoteric possibilities, so I think Oleg is right.  We need to let the
user change the strategy, or provide their own strategy if they want to. 
> Some additional things to think about:
> - http://wiki.cacert.org/wiki/VhostTaskForce !!!   CN is depreciated?!?!   (I am not
able to find a popular website on HTTPS that isn't using CN!)
> - [*.example.com] matches subdomains [a.b.example.com] on Firefox, but not IE6.  The
patch for HTTPCLIENT-613 allows subdomains.
> - Should we support multiple CN's in the subject?
> - Should we support "subjectAltName=DNS:www.example.com" ?  Should we support lots of
them in a single cert?
> - Should we support a mix of CN and subjectAltName?
> If we do create some alternate strategies for people to try, I'd probably lean towards
something like this:
> X509NameCheckingStrategy.SUN_JAVA_6  (default)
> X509NameCheckingStrategy.FIREFOX2
> X509NameCheckingStrategy.IE7
> X509NameCheckingStrategy.FIRST_CN_AND_NO_WILDCARDS   (aka "STRICT")

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org

View raw message