allow different strategies when checking CN of x509 cert
--------------------------------------------------------
Key: HTTPCLIENT-614
URL: http://issues.apache.org/jira/browse/HTTPCLIENT-614
Project: HttpComponents HttpClient
Issue Type: Improvement
Components: HttpClient
Affects Versions: Nightly Builds
Reporter: Julius Davies
Priority: Minor
We're now doing a decent job for checking the CN of the x509 cert with https:
http://issues.apache.org/jira/browse/HTTPCLIENT-613
I think the patch for HTTPCLIENT-613 should cover 99.9% of the users out there.
But there are some more esoteric possibilities, so I think Oleg is right. We
need to let the user change the strategy, or provide their own strategy if they
want to.
Some additional things to think about:
- http://wiki.cacert.org/wiki/VhostTaskForce !!! CN is depreciated?!?! (I
am not able to find a popular website on HTTPS that isn't using CN!)
- [*.example.com] matches subdomains [a.b.example.com] on Firefox, but not IE6.
The patch for HTTPCLIENT-613 allows subdomains.
- Should we support multiple CN's in the subject?
- Should we support "subjectAltName=DNS:www.example.com" ? Should we support
lots of them in a single cert?
- Should we support a mix of CN and subjectAltName?
If we do create some alternate strategies for people to try, I'd probably lean
towards something like this:
X509NameCheckingStrategy.SUN_JAVA_6 (default)
X509NameCheckingStrategy.FIREFOX2
X509NameCheckingStrategy.IE7
X509NameCheckingStrategy.FIRST_CN_AND_NO_WILDCARDS (aka "STRICT")
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
