hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Suphannee Sivakorn (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1802) RFC violations in hostname checking
Date Thu, 19 Jan 2017 21:51:26 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1802?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15830669#comment-15830669
] 

Suphannee Sivakorn commented on HTTPCLIENT-1802:
------------------------------------------------

Oleg,

#1 OK
#2 It is good. The idea is to use the certificate common name as the last resource to check
(only when no subjectAltName available). You might want to check the case where hostname 2.2.2.2
and certificate with common name: 2.2.2.2, which should return a match. But from the code
I looked, it should be fine somehow.


> RFC violations in hostname checking
> -----------------------------------
>
>                 Key: HTTPCLIENT-1802
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1802
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 4.5.2
>            Reporter: Suphannee Sivakorn
>            Assignee: Oleg Kalnichevski
>            Priority: Minor
>             Fix For: 4.5.3, 5.0 Alpha2
>
>         Attachments: 1_1_1_1.pem, s_google_com.pem
>
>
> 1. Matching commonName in case sensitive manner when wildcard presents
> (violation of RFC 6125 and RFC 5280)
> HttpClient matches certificate commonName in the case sensitive manner
> when there is a wildcard presents in the certificate commonName, for
> example, given commonName as "*.google.com", HttpClient matches
> "foo.google.com", it however does not match "foo.Google.com". We found
> that this behavior is inconsistent with section 6.4.4 of RFC 6125
> specification -- "If the client chooses to compare a reference
> identifier of type CN-ID against that string, it MUST follow the
> comparison rules for the DNS domain name portion of an identifier of
> type DNS-ID, SRV-ID, or URI-ID". Note that matching DNS-ID, SRV-ID and
> URI-ID all are in case insensitive manner (RFC 5280).
> Testing certificate attached: s_google_com.pem
> Testing hostname: foo.Google.com
> Expected behavior: match
> 2. Attempting to match commonName when SubjectAltName identifier presents
> Section 6.3 of RFC 6125 prohibits clients from attempting to match
> certificate CN if the presented identifiers include a DNS-ID, SRV-ID,
> URI-ID, or any application-specific identifier types supported by the
> client. We found that HttpClient violates this requirement as it
> attempts to match CN even when there is a subjectAltName identifier
> presents e.g., IP address. However, the library does not attempt to
> match certificate CN when certificate subjectAltName DNS presents.
> Testing certificate attached: 1_1_1_1.pem
> Testing hostname: dummy-value.com
> Expected behavior: no match



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message