[jira] Commented: (HTTPCLIENT-613) https should check CN of x509 cert

Fri, 08 Dec 2006 08:09:46 -0800 

    [ 
http://issues.apache.org/jira/browse/HTTPCLIENT-613?page=comments#action_12456897
 ] 
            
Martin van den Bemt commented on HTTPCLIENT-613:
------------------------------------------------

    // The CN better have at least two dots if it wants wildcard action.
+        // (Hmmm... what about *.co.uk ???  Eeek!  Something to think about
+        // on a rainy day, I guess.)

According to your code.. If I am not mistaken .co.uk contains at least 2 dots...

And officially (just had to deal with that issue), you need a wildcard 
certificate for every subdomain so :
*.apache.org is a wildcard cerficiate for hostname.apache.org (just that level).
If you want to have a valid certifacate for eg subhostname.hostname.apache.org, 
you need to get a *.subhostname.hostname.apache.org certificate for that 
seperately (although browsers seem to accept this stuff).

I chose to have an hostname verifier setup that accepts above, but that is just 
used for staging and test environments (to prevent us from buyin a huge load of 
certificates)

HTH..

Mvgr,
Martin

> https should check CN of x509 cert
> ----------------------------------
>
>                 Key: HTTPCLIENT-613
>                 URL: http://issues.apache.org/jira/browse/HTTPCLIENT-613
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: Nightly Builds
>            Reporter: Julius Davies
>            Priority: Critical
>             Fix For: 4.0 Alpha 1
>
>         Attachments: SSLSocketFactory.patch, SSLSocketFactory_best.patch, 
> SSLSocketFactory_improved.patch
>
>
> https should check CN of x509 cert
> Since we're essentially rolling our own "HttpsURLConnection",  the checking 
> provided by "javax.net.ssl.HostnameVerifier" is no longer in place.
> I have a patch I'm about to attach which caused both createSocket() methods 
> on o.a.h.conn.ssl.SSLSocketFactory to blowup:
> test1: javax.net.ssl.SSLException: hostname in certificate didn't match: 
> <vancity.com> != <www.vancity.com>
> test2: javax.net.ssl.SSLException: hostname in certificate didn't match: 
> <vancity.com> != <www.vancity.com>
> Hopefully people agree that this is desirable.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to