Hi, HttpComponents, and Not-Yet-Commons-SSL,
I saw an interesting link on Justin Mason's weblog (via Planet Apache): http://taint.org/2009/11/12/230503a.html Eventually you find this link: [Noisebridge-discuss] Merry Certmas! CN=*\x00thoughtcrime.noisebridge.net https://www.noisebridge.net/pipermail/noisebridge-discuss/2009-September/008400.html Just thought I'd let people know that our Hostname Verifier is resistant to this. I think the resistance is coming from the way Java builds the string, because here is the warning I got when I tried to use the cert: javax.net.ssl.SSLException: hostname in certificate didn't match: <localhost> != <*thoughtcrime.noisebridge.net> at org.apache.commons.ssl.HostnameVerifier$AbstractVerifier.check(HostnameVerifier.java:415) But even if Java didn't build the String that way, I think we'd still be resistant, because if I remember correctly, the HttpClient / Not-Yet-Commons-SSL Hostname verifier insists on their being at least two dots (e.g. *.a.com) in a wildcard cert. A feather in my cap! :-) -- yours, Julius Davies 250-592-2284 (Home) 250-893-4579 (Mobile) http://juliusdavies.ca/logging.html --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
