[jira] Commented: (HTTPCLIENT-617) Hostname verification: turn off wildcards when CN is an IP address

Tue, 09 Oct 2007 10:49:41 -0700 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12533430
 ] 

Oleg Kalnichevski commented on HTTPCLIENT-617:
----------------------------------------------

Julius,

I added a utility class InetAddressUtils which can be used to test if a string 
represents a valid IPv4 or IPv6 address.  

http://svn.apache.org/repos/asf/jakarta/httpcomponents/httpclient/trunk/module-client/src/main/java/org/apache/http/conn/util/InetAddressUtils.java

What else needs to be done to close this issue?

Oleg

> Hostname verification:  turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-617
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-617
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpConn
>    Affects Versions: Snapshot
>            Reporter: Julius Davies
>            Priority: Minor
>             Fix For: 4.0 Alpha 2
>
>
> Hostname verification:   turn off wildcards when CN is an IP address.  This 
> is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running 
> it through "Integer.parseInt()".  If the NumberFormatException isn't thrown 
> (so Integer.parseInt() actually worked!), then I'll turn off wildcard 
> matching.  Notice that this won't be a problem with IP6 addresses, since they 
> don't use dots.  It's only a problem with IP4, where the meaning of the dots 
> clashes with dots in domain names.
> Note:  when I turn off wildcard matching, I still attempt an exact match with 
> the hostname.  If through some weird mechanism the client is actually able to 
> use a hostname such as "https://*.114.102.2/";, then they will be okay if 
> that's what the certificate on the server contains.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to