hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ortwin Gl├╝ck <...@odi.ch>
Subject Re: our hostname verifier is resistant to \00 (null) after wildcard
Date Fri, 13 Nov 2009 08:42:13 GMT

Thanks for testing it. It'd be nice to have a test case for this kind of forged
certificates in the JUnit test suite, actually. Would you be willing to create one?

Funny enough, I was pretty sure that no Java application would ever be affected
by this bug. Because \0 is an ordinary character in Java, and not a string



Julius Davies wrote:
> Hi, HttpComponents, and Not-Yet-Commons-SSL,
> I saw an interesting link on Justin Mason's weblog (via Planet Apache):
> http://taint.org/2009/11/12/230503a.html
> Eventually you find this link:
> [Noisebridge-discuss] Merry Certmas! CN=*\x00thoughtcrime.noisebridge.net
> https://www.noisebridge.net/pipermail/noisebridge-discuss/2009-September/008400.html
> Just thought I'd let people know that our Hostname Verifier is
> resistant to this.  I think the resistance is coming from the way Java
> builds the string, because here is the warning I got when I tried to
> use the cert:
> javax.net.ssl.SSLException:
> hostname in certificate didn't match: <localhost> !=
> <*thoughtcrime.noisebridge.net>
> 	at org.apache.commons.ssl.HostnameVerifier$AbstractVerifier.check(HostnameVerifier.java:415)
> But even if Java didn't build the String that way, I think we'd still
> be resistant, because if I remember correctly, the HttpClient /
> Not-Yet-Commons-SSL Hostname verifier insists on their being at least
> two dots (e.g. *.a.com) in a wildcard cert.
> A feather in my cap!  :-)

[web]  http://www.odi.ch/
[blog] http://www.odi.ch/weblog/
[pgp]  key 0x81CF3416
       finger print F2B1 B21F F056 D53E 5D79 A5AF 02BE 70F5 81CF 3416

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message