hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julius Davies (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HTTPCLIENT-613) https should check CN of x509 cert
Date Thu, 07 Dec 2006 22:09:29 GMT
    [ http://issues.apache.org/jira/browse/HTTPCLIENT-613?page=comments#action_12456616 ] 
Julius Davies commented on HTTPCLIENT-613:

To account for a problem with IBM 1.4.x JVM's, I think we should also test against sslSocket.getSession()
being null.  If it is null, we should try to get the socket to blowup by calling socket.getInputStream().available().

SSLSocket ssl = (SSLSocket) s;
SSLSession session = ssl.getSession();
if ( session == null ) {
    // In our experience this only happens under IBM 1.4.x.
    // hopefully this will unearth the real problem:

[Not sure how to deal with this 2nd patch.  Do I upload a new patch containing both fixes?
 Sorry I'm such a newb!]

Here's some background info:

The IBM 1.4.x JVM, when acting as an SSL client, is quite picky about the certificate chain
that the server presents.  If the server includes some stray certificates in the chain, IBM
will blowup.

But it takes a little while to blowup:

SSLSocket s = factory.createSocket( host, port );

// okay, we're still okay

SSLSession session = s.getSession();

// still okay!  No exceptions thrown!   But session is null.  Uh oh.

InputStream in = s.getInputStream();

// Still no exceptions thrown!  Wow, IBM is a survivor.


// ! * BOOM * !

javax.net.ssl.SSLHandshakeException: bad certificate
        at com.ibm.jsse.bv.a(Unknown Source)
        at com.ibm.jsse.a.a(Unknown Source)
        at com.ibm.jsse.a.available(Unknown Source)

> https should check CN of x509 cert
> ----------------------------------
>                 Key: HTTPCLIENT-613
>                 URL: http://issues.apache.org/jira/browse/HTTPCLIENT-613
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: Nightly Builds
>            Reporter: Julius Davies
>            Priority: Critical
>             Fix For: 4.0 Alpha 1
>         Attachments: SSLSocketFactory.patch
> https should check CN of x509 cert
> Since we're essentially rolling our own "HttpsURLConnection",  the checking provided
by "javax.net.ssl.HostnameVerifier" is no longer in place.
> I have a patch I'm about to attach which caused both createSocket() methods on o.a.h.conn.ssl.SSLSocketFactory
to blowup:
> test1: javax.net.ssl.SSLException: hostname in certificate didn't match: <vancity.com>
!= <www.vancity.com>
> test2: javax.net.ssl.SSLException: hostname in certificate didn't match: <vancity.com>
!= <www.vancity.com>
> Hopefully people agree that this is desirable.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org

View raw message