[
https://issues.apache.org/jira/browse/HTTPCLIENT-1316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13570107#comment-13570107
]
Sebb commented on HTTPCLIENT-1316:
----------------------------------
There's a suggested patch for Tomcat which might be suitable:
https://issues.apache.org/bugzilla/show_bug.cgi?id=51497
Note that IPv4 addresses can theoretically have leading zeroes (Java appears to
ignore these, but ping on WinXP and FreeBSD treats them as octal numbers).
Though it is unlikely that such representation would ever be used.
> Certificate verification rejects IPv6 addresses which are not String-equal
> --------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1316
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1316
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: 4.2.3
> Reporter: James Livingston
> Fix For: Future
>
>
> org.apache.http.conn.ssl.AbstractVerifier.verify() does not correctly handle
> host name verification when IPv6 addresses are used, as it simply does a
> string equality check when doWildcard is false.
> http://tools.ietf.org/html/rfc5952#section-3.2.5 specifically mentions X.509
> certificates as an example when textual comparison of IPv6 addresses is not
> correct. Examples of incorrect behaviour are with:
> * leading zeroes
> * zero compression
> * case insensitivity
> For example if you have a SSL certificate for the IP address
> 2001:0db8:aaaa:bbbb:cccc:0:0:0001, the alternative representation of
> 2001:db8:AAAA:bbbb:cccc::1 should be accepted as a match.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
