hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julius Davies (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HTTPCLIENT-613) https should check CN of x509 cert
Date Fri, 08 Dec 2006 16:46:22 GMT
    [ http://issues.apache.org/jira/browse/HTTPCLIENT-613?page=comments#action_12456908 ] 
            
Julius Davies commented on HTTPCLIENT-613:
------------------------------------------

HTTPCLIENT-614 will try to address Martin's concerns.

This wiki entry has an interesting catalog of browser behaviour:

http://wiki.cacert.org/wiki/WildcardCertificates

- IE6 doesn't allow subdomains (so follows the RFC).   *.apache.org  does not match  "a.b.apache.org".

- Firefox/Mozilla allows subdomains (breaks RFC).    *.apache.org  DOES MATCH  "a.b.apache.org"!

- New versions of Konqueror (so Safari too?) allows subdomains (breaks RFC).

- Operat allows subdomains (breaks RFC).


I think I'll do some experimentation on my own and test some additional clients.  I'll add
my findings to cacert's very handy wiki!  Curious about the following (but I'm lazy so I'm
just going to stick to Linux):

- wget
- curl
- java.net.URL on the following:
   1.  Sun Java 1.3.1 + JSSE  
   2.  Sun Java 1.4.2
   3.  Sun Java 5.0
   4.  Sun Java 6.0
   5.  IBM Java 1.4.2
   6.  IBM Java 5.0
   7.  JRockit Java 1.4.2
   8.  JRockit Java 5.0



> https should check CN of x509 cert
> ----------------------------------
>
>                 Key: HTTPCLIENT-613
>                 URL: http://issues.apache.org/jira/browse/HTTPCLIENT-613
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: Nightly Builds
>            Reporter: Julius Davies
>            Priority: Critical
>             Fix For: 4.0 Alpha 1
>
>         Attachments: SSLSocketFactory.patch, SSLSocketFactory_best.patch, SSLSocketFactory_improved.patch
>
>
> https should check CN of x509 cert
> Since we're essentially rolling our own "HttpsURLConnection",  the checking provided
by "javax.net.ssl.HostnameVerifier" is no longer in place.
> I have a patch I'm about to attach which caused both createSocket() methods on o.a.h.conn.ssl.SSLSocketFactory
to blowup:
> test1: javax.net.ssl.SSLException: hostname in certificate didn't match: <vancity.com>
!= <www.vancity.com>
> test2: javax.net.ssl.SSLException: hostname in certificate didn't match: <vancity.com>
!= <www.vancity.com>
> Hopefully people agree that this is desirable.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org


Mime
View raw message