hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jorm (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HTTPCLIENT-1549) CVE-2014-3577 patch may not be RFC-compliant
Date Wed, 27 Aug 2014 01:26:58 GMT
David Jorm created HTTPCLIENT-1549:
--------------------------------------

             Summary: CVE-2014-3577 patch may not be RFC-compliant
                 Key: HTTPCLIENT-1549
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1549
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient
    Affects Versions: 4.3.5
            Reporter: David Jorm
            Priority: Minor


The fix for CVE-2014-3577 may not be RFC-compliant:

http://svn.apache.org/viewvc?view=revision&revision=1614065

RFC 2818 says that "the (most specific) Common Name field in the Subject field of the certificate
MUST be used". I'm not sure if the most specific is the right most or the left most, but I
don't believe it should pick multiple CN values from the certificate subject. Please let me
know if this analysis is accurate.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message