hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julius Davies" <juliusdav...@gmail.com>
Subject Re: [httpclient] [ssl] 4.0's CN verification might cause some headaches for users
Date Mon, 05 Feb 2007 14:05:35 GMT
Thanks, everyone, for your comments!  I didn't realize Httpclient-4.0
was going to be such a dramatic change to the consumers.  Since that's
the case this isn't such a big deal.

Mind you, upgrading (or maybe "switching" is a better word) to
httpclient-4.0 should only affect the client code.  This change can
require people to fix their client, their server, and their DNS, and
this issue might not showup for people until they hit their production
environments.  I imagine it will be a little stressful!

Regarding:

https-no-host-verify://
https-completely-insecure://

I agree with Roland and Michael that it is best if people not use them
at all.  But I see so many people just blindly using "easy" on the
"httpclient-user" mailing list, I thought maybe
"https-completely-insecure://" would scare them off.

But I also agree that I'm probably being foolish, and that including
it might just encourage more people!

(I wonder if those schemes would have helped the public PKI situation
had they been part of the standards.  Probably not.)

-- 
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org


Mime
View raw message