hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roland Weber <http-as...@dubioso.net>
Subject Re: [httpclient] [ssl] 4.0's CN verification might cause some headaches for users
Date Mon, 05 Feb 2007 16:50:37 GMT
Hi Julius,

> Mind you, upgrading (or maybe "switching" is a better word) to
> httpclient-4.0 should only affect the client code.  This change can
> require people to fix their client, their server, and their DNS, and
> this issue might not showup for people until they hit their production
> environments.  I imagine it will be a little stressful!

Thanks for bringing it to our attention. We will remember it by the
time we're writing an SSL guide for 4.0. And if it hits them only
in production, their integration and staging environments aren't
good enough ;-)

> I agree with Roland and Michael that it is best if people not use them
> at all.  But I see so many people just blindly using "easy" on the
> "httpclient-user" mailing list, I thought maybe
> "https-completely-insecure://" would scare them off.

We'll be addressing that in the SSL 4.0 guide, too. And I'll see to
it that the "EasySSLProtocolSocketFactory" changes it's name not only
after the "SSL" part :-)

> (I wonder if those schemes would have helped the public PKI situation
> had they been part of the standards.  Probably not.)

Hardly. The point of PKI is to establish a chain of trust.
You can't do that by removing the trust.

cheers,
  Roland

---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org


Mime
View raw message