[ http://issues.apache.org/jira/browse/HTTPCLIENT-614?page=comments#action_12457447 ] Julius Davies commented on HTTPCLIENT-614: ------------------------------------------
Trying out a pluggable implementation. If anyone is interested in seeing where I'm currently at: http://juliusdavies.ca/httpclient/ Of note: New interface: o.a.http.conn.ssl.HostnameVerifier It actually extends the javax.net.ssl one (http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/HostnameVerifier.html). But I don't expect our SSLSocketFactory to use that API. I'm just including that as a comforting "things seem familiar" door-knob/hand-rail. Of note, I'm actually sticking the implementation directly inside this interface as anonymous-inner-classes. Defining the following: HostnameVerifier.DEFAULT (mimics curl and firefox) HostnameVerifier.STRICT (mimics java.net.URL, and very close to IE6) HostnameVerifier.ALLOW_ALL (turns off hostname verification) IIRC, anonymous inner-classes only showed up in Java 1.3.x so this would be inappropriate for Httpclient 3.x (which supports Java 1.2.x). Now I'm just working on unit tests before I create the patch.... > allow different strategies when checking CN of x509 cert > -------------------------------------------------------- > > Key: HTTPCLIENT-614 > URL: http://issues.apache.org/jira/browse/HTTPCLIENT-614 > Project: HttpComponents HttpClient > Issue Type: Improvement > Components: HttpConn > Affects Versions: Nightly Builds > Reporter: Julius Davies > Fix For: 4.0 Alpha 1 > > > We're now doing a decent job for checking the CN of the x509 cert with https: > http://issues.apache.org/jira/browse/HTTPCLIENT-613 > I think the patch for HTTPCLIENT-613 should cover 99.9% of the users out > there. But there are some more esoteric possibilities, so I think Oleg is > right. We need to let the user change the strategy, or provide their own > strategy if they want to. > Some additional things to think about: > - http://wiki.cacert.org/wiki/VhostTaskForce !!! CN is depreciated?!?! (I > am not able to find a popular website on HTTPS that isn't using CN!) > - [*.example.com] matches subdomains [a.b.example.com] on Firefox, but not > IE6. The patch for HTTPCLIENT-613 allows subdomains. > - Should we support multiple CN's in the subject? > - Should we support "subjectAltName=DNS:www.example.com" ? Should we support > lots of them in a single cert? > - Should we support a mix of CN and subjectAltName? > If we do create some alternate strategies for people to try, I'd probably > lean towards something like this: > X509NameCheckingStrategy.SUN_JAVA_6 (default) > X509NameCheckingStrategy.FIREFOX2 > X509NameCheckingStrategy.IE7 > X509NameCheckingStrategy.FIRST_CN_AND_NO_WILDCARDS (aka "STRICT") -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
