[jira] [Commented] (HTTPCLIENT-1316) Certificate verification rejects IPv6 addresses which are not String-equal

Tue, 05 Feb 2013 07:45:41 -0800 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13571394#comment-13571394
 ] 

Sebb commented on HTTPCLIENT-1316:
----------------------------------

In theory, UnknownHostException should never happen, as the code should only be 
executed for numeric IPs, and so should never invoke DNS.

The intention of reporting the exception was to detect if there is a bug which 
allows DNS to be unintentionally invoked.
So unless you have strong objections I propose to log a warning, and return the 
original host name.
                
> Certificate verification rejects IPv6 addresses which are not String-equal
> --------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1316
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1316
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpConn
>    Affects Versions: 4.2.3
>            Reporter: James Livingston
>             Fix For: Future
>
>         Attachments: HTTPCLIENT-1316.patch
>
>
> org.apache.http.conn.ssl.AbstractVerifier.verify() does not correctly handle 
> host name verification when IPv6 addresses are used, as it simply does a 
> string equality check when doWildcard is false.
> http://tools.ietf.org/html/rfc5952#section-3.2.5 specifically mentions X.509 
> certificates as an example when textual comparison of IPv6 addresses is not 
> correct. Examples of incorrect behaviour are with:
> * leading zeroes
> * zero compression
> * case insensitivity
> For example if you have a SSL certificate for the IP address 
> 2001:0db8:aaaa:bbbb:cccc:0:0:0001, the alternative representation of 
> 2001:db8:AAAA:bbbb:cccc::1 should be accepted as a match.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to