hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sebb (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1316) Certificate verification rejects IPv6 addresses which are not String-equal
Date Tue, 05 Feb 2013 11:45:29 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13571245#comment-13571245
] 

Sebb commented on HTTPCLIENT-1316:
----------------------------------

I put the code in AbstractVerifier because the format is specifically for comparisons.  It
did not seem particularly useful elsewhere. 
If it is moved to InetAddressUtils it should probably be renamed to clarify its purpose, as
there might be a need for an RFC5952 version later.

I'm now wondering whether the code should throw IllegalState or log a warning?
Might be too drastic to throw.
                
> Certificate verification rejects IPv6 addresses which are not String-equal
> --------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1316
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1316
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpConn
>    Affects Versions: 4.2.3
>            Reporter: James Livingston
>             Fix For: Future
>
>         Attachments: HTTPCLIENT-1316.patch
>
>
> org.apache.http.conn.ssl.AbstractVerifier.verify() does not correctly handle host name
verification when IPv6 addresses are used, as it simply does a string equality check when
doWildcard is false.
> http://tools.ietf.org/html/rfc5952#section-3.2.5 specifically mentions X.509 certificates
as an example when textual comparison of IPv6 addresses is not correct. Examples of incorrect
behaviour are with:
> * leading zeroes
> * zero compression
> * case insensitivity
> For example if you have a SSL certificate for the IP address 2001:0db8:aaaa:bbbb:cccc:0:0:0001,
the alternative representation of 2001:db8:AAAA:bbbb:cccc::1 should be accepted as a match.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message