James Livingston created HTTPCLIENT-1316:
--------------------------------------------
Summary: Certificate verification rejects IPv6 addresses which are
not String-equal
Key: HTTPCLIENT-1316
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1316
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpConn
Affects Versions: 4.2.3
Reporter: James Livingston
org.apache.http.conn.ssl.AbstractVerifier.verify() does not correctly handle
host name verification when IPv6 addresses are used, as it simply does a string
equality check when doWildcard is false.
http://tools.ietf.org/html/rfc5952#section-3.2.5 specifically mentions X.509
certificates as an example when textual comparison of IPv6 addresses is not
correct. Examples of incorrect behaviour are with:
* leading zeroes
* zero compression
* case insensitivity
For example if you have a SSL certificate for the IP address
2001:0db8:aaaa:bbbb:cccc:0:0:0001, the alternative representation of
2001:db8:AAAA:bbbb:cccc::1 should be accepted as a match.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
