-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 11/9/17 5:02 AM, Mark Thomas wrote: > On 8 November 2017 21:09:11 GMT+00:00, Nicolas Therrien > <nicolas.therr...@airbus-dscomm.com> wrote: > > <snip/> > >> My understanding is that when "certificateVerification" is set >> to "required", the server would perform the same verification as >> the client does, that is: >> >> 1) Verify the incoming certificate is signed by an authority that >> is part of the local truststore. > > Correct. > >> 2) Verify that the incoming certificate's common name matches >> the hostname of the peer we are communicating with. > > Incorrect. > > The client very is intended to prove the identity of the user, not > the host the happen to be using. s/very/cert/ This is also very (sic) dependent upon the URL that the client is using to connect to the server. For example, if you move a certificate with cn=localhost between many servers and access it using https://localhost/ then you will never get any errors. Likewise, if you redefine the DNS name and keep the URL consistent, then you will also connect without any errors. Since you wrote the client, you are ultimately responsible for performing hostname verification. If you use HttpsURLConnection or anything else built-into the JVM like that that uses SSLContext and friends, you should automatically get hostname verification unless you specifically take steps to disable it. But if you are rolling your own connection code, you won't get that kind of protection. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloEfzIdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhTCw/9HF0QXdvCte7W7E9B kZmIhg7fZM965ecAInonLa8kGNVN+nAKoNeEu0lGZWeNYremaQ82tqMfwuKwwURR +8HCh2Qfr6W/scQSOO258oO13MdlBayXYbCfFzVdnd7cO8+O+hFcQnIGqeWWiCS5 8MF8hje6/J+VI2Yu8wTlFooPqGYGOfm4xctnYdQsJjLlLL5gKI4D58aqwlBUsB4d KF7xsh5rB5BocgAVRi0NhIPo2MOMEawX69tJWUjR5o+qzMKlepjoIMpgZ/qIQcZt YRfFLEyp8l7/GskDsfwpL/ZP7b9mI0vu6OfHd1l4vPAryX5N82XoCT+AwpuWo1w8 PB7aqwiKvn/9GfhkTjAIFcFGqeiqO4iiScF0sKPKlVcozIPvNk8TuDg+8tUFrBxQ ZlFKd2dHIRPGoOuJt/TWoY5vZny3CViBruuZNwvq1RXB6HMD56hodIVjWfLB0j45 3Ktz1D3fIaqW8dy1cfu3vltVNYnON7Hq5vmApp+pQ7ajry/6f7hO0Y2KfFW8hFb/ LKPgry/AuaYQ+XSEpPoKS3Rv6rIFcdzLlKtVV2gPOT56n0wCqQjkRu5ikssuIalZ dtdpkzAK4/e14ntw2dLMBslg5iyqTf8hPMiOwWpu6+YKt6caoSWF2NiBM6KKOGJw ndNKTKYeqBq1Wn9DsIxutKxObgc= =kAw0 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
