Mailing-List: contact httpcomponents-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "HttpComponents Project" <httpcomponents-dev@jakarta.apache.org>
Message-ID: <15160108.1165923383911.JavaMail.jira@brutus>
Date: Tue, 12 Dec 2006 03:36:23 -0800 (PST)
From: "Oleg Kalnichevski (JIRA)" <jira@apache.org>
To: httpcomponents-dev@jakarta.apache.org
Subject: [jira] Commented: (HTTPCLIENT-614) allow different strategies when
 checking CN of x509 cert
In-Reply-To: <17456851.1165592721718.JavaMail.jira@brutus>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

    [ http://issues.apache.org/jira/browse/HTTPCLIENT-614?page=comments#action_12457673 ] 
            
Oleg Kalnichevski commented on HTTPCLIENT-614:
----------------------------------------------

Julius,

Would it be possible to get rid of dependency on commons-codec, especially if it is only needed to run test cases? 

I personally would prefer to move all HostnameVerifier impls to o.a.http.conn.impl package. HostnameVerifier.DEFAULT and friends should probably be better off moved to an object factory of a sort.

I'll review the patch more thoroughly tomorrow and check it in to the SVN trunk

Oleg

> allow different strategies when checking CN of x509 cert
> --------------------------------------------------------
>
>                 Key: HTTPCLIENT-614
>                 URL: http://issues.apache.org/jira/browse/HTTPCLIENT-614
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpConn
>    Affects Versions: Nightly Builds
>            Reporter: Julius Davies
>             Fix For: 4.0 Alpha 1
>
>         Attachments: ssl.patch
>
>
> We're now doing a decent job for checking the CN of the x509 cert with https:
> http://issues.apache.org/jira/browse/HTTPCLIENT-613
> I think the patch for HTTPCLIENT-613 should cover 99.9% of the users out there.  But there are some more esoteric possibilities, so I think Oleg is right.  We need to let the user change the strategy, or provide their own strategy if they want to. 
> Some additional things to think about:
> - http://wiki.cacert.org/wiki/VhostTaskForce !!!   CN is depreciated?!?!   (I am not able to find a popular website on HTTPS that isn't using CN!)
> - [*.example.com] matches subdomains [a.b.example.com] on Firefox, but not IE6.  The patch for HTTPCLIENT-613 allows subdomains.
> - Should we support multiple CN's in the subject?
> - Should we support "subjectAltName=DNS:www.example.com" ?  Should we support lots of them in a single cert?
> - Should we support a mix of CN and subjectAltName?
> If we do create some alternate strategies for people to try, I'd probably lean towards something like this:
> X509NameCheckingStrategy.SUN_JAVA_6  (default)
> X509NameCheckingStrategy.FIREFOX2
> X509NameCheckingStrategy.IE7
> X509NameCheckingStrategy.FIRST_CN_AND_NO_WILDCARDS   (aka "STRICT")

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org