hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julius Davies" <juliusdav...@gmail.com>
Subject [https/ssl] - CN verification: setAllowedNames() idea
Date Sun, 18 Feb 2007 20:01:26 GMT
Hi,

Cross-posting is evil.  I know!  But
"not-yet-commons-ssl@lists.juliusdavies.ca" only has six subscribers,
so I thought I'd try this by a slightly larger audience.

Here's the idea:


/**
 * Offers a secure way to use virtual-hosting and SSL in some situations:
 * for example you want to connect to "bar.com" but you know in advance
 * that the SSL Certificate on that server only contains "CN=foo.com".  If
 * you setAllowedNames( new String[] { "foo.com" } ) on your SSLClient in
 * advance, you can connect securely, while still using "bar.com" as the
 * host.
 *
 * Here's a code example using "cucbc.com" to connect, but anticipating
 * "www.cucbc.com" in the server's certificate:
 * <pre>
 * SSLClient client = new SSLClient();
 * client.setAllowedNames( new String[] { "www.cucbc.com" } );
 * Socket s = client.createSocket( "cucbc.com", 443 );
 * </pre>
 *
 * This technique is also useful if you don't want to use DNS, and want to
 * connect using the IP address.
 *
 * @param allowedNames array of alternate "allowed names" to try against a
 * server's x509 CN field if the host/ip we used didn't match.  Set to null
 * to force strict matching against host/ip passed into createSocket().
 * Null is the default value.  Must be set in advance, before createSocket() is
 * called.
 */
public void setAllowedNames( String[] allowedNames )
{
	this.allowedNames = allowedNames;
}


Any comments?

The way I've coded it, things get kind of exciting with wildcards.
Here's a code example using "credential.com" to connect, but
anticipating "*.credential.com" in the server's certificate:

SSLClient client = new SSLClient();
client.setAllowedNames( new String[] { "ooga_booga.credential.com" } );
Socket s = client.createSocket( "credential.com", 443 );

But I think that actually makes sense in a wildcard kind of way.

(I plan to sell DVD's through late night infomercials called
"Certificates gone Wildcard").


-- 
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org


Mime
View raw message