hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Wright (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HTTPCLIENT-1275) AllowAllHostnameVerifier does not prevent SSL handshake verification errors
Date Wed, 12 Dec 2012 20:04:20 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13530266#comment-13530266
] 

Karl Wright edited comment on HTTPCLIENT-1275 at 12/12/12 8:03 PM:
-------------------------------------------------------------------

Hi Oleg,

If the purpose of AllowAllHostnameVerifier is not to prevent verification of certs, then this
ticket can be closed.

In the code I am using I have a "trust everything" trust store already - that's not the issue.
 In fact I suspect that the tester did not build the code correctly, which was a major part
of the problem.  The only thing that is still a bit of a question still is whether or not
you can actually get an exception from SSLSession.getPeerCertificates(), and under what circumstances.

                
      was (Author: kwright@metacarta.com):
    Hi Oleg,

If the purpose of AllowAllHostnameVerifier is not to verify certs, then this ticket can be
closed.

In the code I am using I have a "trust everything" trust store already - that's not the issue.
 In fact I suspect that the tester did not build the code correctly, which was a major part
of the problem.  The only thing that is still a bit of a question still is whether or not
you can actually get an exception from SSLSession.getPeerCertificates(), and under what circumstances.

                  
> AllowAllHostnameVerifier does not prevent SSL handshake verification errors
> ---------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1275
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1275
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpConn
>    Affects Versions: 4.2.2
>            Reporter: Karl Wright
>            Assignee: Karl Wright
>             Fix For: 4.2.3
>
>
> In debugging unverified SSL connections for the ManifoldCF RSS connector, I discovered
that even with AllowAllHostnameVerifier(), which supposedly shuts down SSL hostname verification,
the SSLSession method getPeerCertificates() can cause an exception anyway, before the overridden
method is called, because peer authentication has not yet occurred.
> See CONNECTORS-579 for details, and for the exact trace.
> I'm also looking for suggestions as to how to properly fix this.  One possibility would
be to catch the exception and pass null for the peer certs to the verify method.  Since that
loses the exception, though, it might be better to change the method signature of the overridden
verify() method and include an Exception object, which could get rethrown if needed.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message