[
https://issues.apache.org/jira/browse/HTTPCLIENT-1410?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13784263#comment-13784263
]
Sidney Beekhoven commented on HTTPCLIENT-1410:
----------------------------------------------
Imho this is a bug because perfectly good wildcard certificates don't work with
apache httpclient, and they do work with all the browsers, curl, etc. The
problem is that there is no fixed ruleset to check this on so that is probably
why browsers and curl don't check this. You could also argue what the added
value of this check is.
So my suggestion would be to drop the acceptableCountryWildcard method.
> AbstractVerifier.acceptableCountryWildcard check not strict enough
> ------------------------------------------------------------------
>
> Key: HTTPCLIENT-1410
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1410
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.3 Final
> Reporter: Sidney Beekhoven
> Priority: Minor
>
> I work at a company called info.nl in the Netherlands, so our domain is
> info.nl. We have a wildcard certificate in use for several services,
> *.info.nl.
> The AbstractVerifier has a method acceptableCountryWildcard which checks that
> you don't use eg *.co.uk as the wildcard in the certificate. The second to
> last domain part is checked against a fixed list, which includes info so our
> wildcard is not accepted.
> Apparantly there are some countries where info.<countrycode> is seen as a top
> level domain but that is not the case for the netherlands. So the check on
> this is not strict enough and should also take into account the top level
> domain.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
