hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sidney Beekhoven (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1410) AbstractVerifier.acceptableCountryWildcard check not strict enough
Date Wed, 02 Oct 2013 15:46:43 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1410?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13784087#comment-13784087

Sidney Beekhoven commented on HTTPCLIENT-1410:

Sorry, i try to be more clear :)

The acceptableCountryWildcard method is now returning false in cases where it should return
true. For example for the following cases it should return false (which it already does):


Because you can not have a domain like www.co.uk.

But for the following case it should return true (but now also returns false):


Because now the acceptableCountryWildcard returns false so it does not handle the check as
wildcard and does an equals on *.info.nl with for example www.info.nl and thus the hostname
check fails.

I am looking into the code to see if there is a good solution for this, but it seems that
there is nowhere clearly defined which countries use a system like in the uk.

I hope it is a bit more clear like this.

> AbstractVerifier.acceptableCountryWildcard check not strict enough
> ------------------------------------------------------------------
>                 Key: HTTPCLIENT-1410
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1410
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.3 Final
>            Reporter: Sidney Beekhoven
> I work at a company called info.nl in the Netherlands, so our domain is info.nl. We have
a wildcard certificate in use for several services, *.info.nl.
> The AbstractVerifier has a method acceptableCountryWildcard which checks that you don't
use eg *.co.uk as the wildcard in the certificate. The second to last domain part is checked
against a fixed list, which includes info so our wildcard is not accepted.
> Apparantly there are some countries where info.<countrycode> is seen as a top level
domain but that is not the case for the netherlands. So the check on this is not strict enough
and should also take into account the top level domain.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message