[ http://issues.apache.org/jira/browse/HTTPCLIENT-614?page=comments#action_12456909 ] Julius Davies commented on HTTPCLIENT-614: ------------------------------------------
Hi, Odi, I believe "host.endsWith( cn.substring( 1 ) )" mimics Firefox's behaviour (but without support for "CN + SubjAltNames"). This wiki entry has an interesting catalog of browser behaviour with wildcards: http://wiki.cacert.org/wiki/WildcardCertificates - IE6 doesn't allow subdomains (so follows the RFC). *.apache.org does not match "a.b.apache.org". - Firefox/Mozilla allows subdomains (breaks RFC). *.apache.org DOES MATCH "a.b.apache.org"! - New versions of Konqueror (so Safari too?) allows subdomains (breaks RFC). - Opera 9.0 allows subdomains (breaks RFC). I think I'll do some experimentation on my own and test some additional clients. I'll add my findings to cacert's very handy wiki! Curious about the following (but I'm lazy so I'm just going to stick to Linux and maybe a little dabbling on Windows): - wget - curl - java.net.URL on the following: 1. Sun Java 1.3.1 + JSSE 2. Sun Java 1.4.2 3. Sun Java 5.0 4. Sun Java 6.0 5. IBM Java 1.4.2 6. IBM Java 5.0 7. JRockit Java 1.4.2 8. JRockit Java 5.0 I think if our default behaviour mimics Sun Java 6, that's good enough. > allow different strategies when checking CN of x509 cert > -------------------------------------------------------- > > Key: HTTPCLIENT-614 > URL: http://issues.apache.org/jira/browse/HTTPCLIENT-614 > Project: HttpComponents HttpClient > Issue Type: Improvement > Components: HttpConn > Affects Versions: Nightly Builds > Reporter: Julius Davies > Priority: Minor > Fix For: 4.0 Alpha 1 > > > We're now doing a decent job for checking the CN of the x509 cert with https: > http://issues.apache.org/jira/browse/HTTPCLIENT-613 > I think the patch for HTTPCLIENT-613 should cover 99.9% of the users out > there. But there are some more esoteric possibilities, so I think Oleg is > right. We need to let the user change the strategy, or provide their own > strategy if they want to. > Some additional things to think about: > - http://wiki.cacert.org/wiki/VhostTaskForce !!! CN is depreciated?!?! (I > am not able to find a popular website on HTTPS that isn't using CN!) > - [*.example.com] matches subdomains [a.b.example.com] on Firefox, but not > IE6. The patch for HTTPCLIENT-613 allows subdomains. > - Should we support multiple CN's in the subject? > - Should we support "subjectAltName=DNS:www.example.com" ? Should we support > lots of them in a single cert? > - Should we support a mix of CN and subjectAltName? > If we do create some alternate strategies for people to try, I'd probably > lean towards something like this: > X509NameCheckingStrategy.SUN_JAVA_6 (default) > X509NameCheckingStrategy.FIREFOX2 > X509NameCheckingStrategy.IE7 > X509NameCheckingStrategy.FIRST_CN_AND_NO_WILDCARDS (aka "STRICT") -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
