hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sidney Beekhoven (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1410) AbstractVerifier.acceptableCountryWildcard check not strict enough
Date Wed, 02 Oct 2013 14:32:42 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1410?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13784007#comment-13784007
] 

Sidney Beekhoven commented on HTTPCLIENT-1410:
----------------------------------------------

I even wonder if the complete check should be there at all, like it is also stated in the
comment of the BAD_COUNTRY_2LDS var:

"The [*.co.uk] problem is an interesting one.  Should we just hope
* that CA's would never foolishly allow such a certificate to happen?
* Looks like we're the only implementation guarding against this.
* Firefox, Curl, Sun Java 1.4, 5, 6 don't bother with this check."

As far as i can see there is not a fixed rule set for these kind of domains?

> AbstractVerifier.acceptableCountryWildcard check not strict enough
> ------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1410
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1410
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.3 Final
>            Reporter: Sidney Beekhoven
>
> I work at a company called info.nl in the Netherlands, so our domain is info.nl. We have
a wildcard certificate in use for several services, *.info.nl.
> The AbstractVerifier has a method acceptableCountryWildcard which checks that you don't
use eg *.co.uk as the wildcard in the certificate. The second to last domain part is checked
against a fixed list, which includes info so our wildcard is not accepted.
> Apparantly there are some countries where info.<countrycode> is seen as a top level
domain but that is not the case for the netherlands. So the check on this is not strict enough
and should also take into account the top level domain.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message