[ https://issues.apache.org/jira/browse/CXF-6762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15119686#comment-15119686 ]
Colm O hEigeartaigh commented on CXF-6762: ------------------------------------------ Hi Chris, I've updated the DefaultHostnameVerifier since the 3.1.4 release. Any chance you could build the latest 3.1.5-SNAPSHOT code + see whether it still fails for you? Colm. > DefaultHostnameVerifier fails for non-root wildcard SAN DNSName entries > ----------------------------------------------------------------------- > > Key: CXF-6762 > URL: https://issues.apache.org/jira/browse/CXF-6762 > Project: CXF > Issue Type: Bug > Components: JAX-RS, Transports > Affects Versions: 3.1.4 > Reporter: Chris Ribble > Assignee: Colm O hEigeartaigh > Priority: Minor > Original Estimate: 48h > Remaining Estimate: 48h > > DefaultHostnameVerifier, which is used by default by the JAX-RS ClientBuilder > implementation in CXF (and which cannot be overridden without also overriding > the SSLContext, due to CXF-6761) improperly validates the request hostname > against the DNSName values from the SAN section of a certificate when > matching wildcards. > For example, the following works: > Hostname = my.test.com -> DNSName = *.test.com > But the following does not: > Hostname = 1.my.test.com -> DNSName = *.my.test.com > The reason this fails is that the validation code erroneously assumes (in > multiple places) that wildcards only ever exist on the root domain. > The logic should be improved to allow the wildcard to be used to replace 1 > domain name component or component fragment (comments in the code indicate > that this is its purpose, but it fails at this). -- This message was sent by Atlassian JIRA (v6.3.4#6332)