hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julius Davies <juliusdav...@gmail.com>
Subject our hostname verifier is resistant to \00 (null) after wildcard
Date Fri, 13 Nov 2009 01:58:49 GMT
Hi, HttpComponents, and Not-Yet-Commons-SSL,


I saw an interesting link on Justin Mason's weblog (via Planet Apache):

http://taint.org/2009/11/12/230503a.html

Eventually you find this link:

[Noisebridge-discuss] Merry Certmas! CN=*\x00thoughtcrime.noisebridge.net

https://www.noisebridge.net/pipermail/noisebridge-discuss/2009-September/008400.html



Just thought I'd let people know that our Hostname Verifier is
resistant to this.  I think the resistance is coming from the way Java
builds the string, because here is the warning I got when I tried to
use the cert:


javax.net.ssl.SSLException:
hostname in certificate didn't match: <localhost> !=
<*thoughtcrime.noisebridge.net>
	at org.apache.commons.ssl.HostnameVerifier$AbstractVerifier.check(HostnameVerifier.java:415)


But even if Java didn't build the String that way, I think we'd still
be resistant, because if I remember correctly, the HttpClient /
Not-Yet-Commons-SSL Hostname verifier insists on their being at least
two dots (e.g. *.a.com) in a wildcard cert.


A feather in my cap!  :-)


-- 
yours,

Julius Davies
250-592-2284 (Home)
250-893-4579 (Mobile)
http://juliusdavies.ca/logging.html

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message