hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin van den Bemt (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HTTPCLIENT-613) https should check CN of x509 cert
Date Fri, 08 Dec 2006 16:09:24 GMT
    [ http://issues.apache.org/jira/browse/HTTPCLIENT-613?page=comments#action_12456897 ] 
Martin van den Bemt commented on HTTPCLIENT-613:

    // The CN better have at least two dots if it wants wildcard action.
+        // (Hmmm... what about *.co.uk ???  Eeek!  Something to think about
+        // on a rainy day, I guess.)

According to your code.. If I am not mistaken .co.uk contains at least 2 dots...

And officially (just had to deal with that issue), you need a wildcard certificate for every
subdomain so :
*.apache.org is a wildcard cerficiate for hostname.apache.org (just that level).
If you want to have a valid certifacate for eg subhostname.hostname.apache.org, you need to
get a *.subhostname.hostname.apache.org certificate for that seperately (although browsers
seem to accept this stuff).

I chose to have an hostname verifier setup that accepts above, but that is just used for staging
and test environments (to prevent us from buyin a huge load of certificates)



> https should check CN of x509 cert
> ----------------------------------
>                 Key: HTTPCLIENT-613
>                 URL: http://issues.apache.org/jira/browse/HTTPCLIENT-613
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: Nightly Builds
>            Reporter: Julius Davies
>            Priority: Critical
>             Fix For: 4.0 Alpha 1
>         Attachments: SSLSocketFactory.patch, SSLSocketFactory_best.patch, SSLSocketFactory_improved.patch
> https should check CN of x509 cert
> Since we're essentially rolling our own "HttpsURLConnection",  the checking provided
by "javax.net.ssl.HostnameVerifier" is no longer in place.
> I have a patch I'm about to attach which caused both createSocket() methods on o.a.h.conn.ssl.SSLSocketFactory
to blowup:
> test1: javax.net.ssl.SSLException: hostname in certificate didn't match: <vancity.com>
!= <www.vancity.com>
> test2: javax.net.ssl.SSLException: hostname in certificate didn't match: <vancity.com>
!= <www.vancity.com>
> Hopefully people agree that this is desirable.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org

View raw message