hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julius Davies <juliusdav...@gmail.com>
Subject our hostname verifier is resistant to \00 (null) after wildcard
Date Fri, 13 Nov 2009 01:58:49 GMT
Hi, HttpComponents, and Not-Yet-Commons-SSL,

I saw an interesting link on Justin Mason's weblog (via Planet Apache):


Eventually you find this link:

[Noisebridge-discuss] Merry Certmas! CN=*\x00thoughtcrime.noisebridge.net


Just thought I'd let people know that our Hostname Verifier is
resistant to this.  I think the resistance is coming from the way Java
builds the string, because here is the warning I got when I tried to
use the cert:

hostname in certificate didn't match: <localhost> !=
	at org.apache.commons.ssl.HostnameVerifier$AbstractVerifier.check(HostnameVerifier.java:415)

But even if Java didn't build the String that way, I think we'd still
be resistant, because if I remember correctly, the HttpClient /
Not-Yet-Commons-SSL Hostname verifier insists on their being at least
two dots (e.g. *.a.com) in a wildcard cert.

A feather in my cap!  :-)


Julius Davies
250-592-2284 (Home)
250-893-4579 (Mobile)

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message