[
https://issues.apache.org/jira/browse/HTTPCLIENT-2280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17735745#comment-17735745
]
Oleg Kalnichevski commented on HTTPCLIENT-2280:
-----------------------------------------------
> but I also see no reason to not use the `matchCN` fallback in this case.
[~ydylla] And I see no reason why it should. Unlike HttpClient 4.x HttpClient
5.x conforms to RFC 2818. Please use a custom host name verifier if you want to
continue to support the behavior deprecated by RFC 2818.
Oleg
> HostnameVerifier does not support using IP address in CN
> --------------------------------------------------------
>
> Key: HTTPCLIENT-2280
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2280
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Affects Versions: 5.0.4
> Reporter: Yannick Dylla
> Priority: Minor
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Hi,
> we are migrating from the 4.x client to 5.x and noticed that the behavior of
> the DefaultHostnameVerifier changed. Since HTTPCLIENT-2149
> https://github.com/apache/httpcomponents-client/pull/302 the HostnameVerifier
> does no longer accept certificates with an ip address in its CN and with no
> subject alts. Verification fails with "Certificate for <127.0.0.1> doesn't
> match any of the subject alternative names: []".
> I know using ip addresses in the CN is not really recommended or good
> practice, but I also see no reason to not use the `matchCN` fallback in this
> case. The functionality was probably just removed by accident with
> HTTPCLIENT-2149.
> I will open A github PR with my proposed solution once I know the number of
> this issue :)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
