You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Ortwin Glück (JIRA)" <ji...@apache.org> on 2006/12/08 17:05:24 UTC
[jira] Commented: (HTTPCLIENT-614) allow different strategies when
checking CN of x509 cert
[ http://issues.apache.org/jira/browse/HTTPCLIENT-614?page=comments#action_12456895 ]
Ortwin Glück commented on HTTPCLIENT-614:
-----------------------------------------
Good point, Julius. Personally I have no experience with SSL on vhosts. But looking at the references document it looks like we should support the "CN+SubjAltNames" and "SubjectAltName" variants.
May I mention that the * solution in 613 is wrong:
if ( wildcard ) match = host.endsWith( cn.substring( 1 ) );
would result in bar.foo.a.com matching *.a.com
but RFC says:
E.g., *.a.com matches foo.a.com but not bar.foo.a.com.
Making a mistake here opens spoofing possibilities!
> allow different strategies when checking CN of x509 cert
> --------------------------------------------------------
>
> Key: HTTPCLIENT-614
> URL: http://issues.apache.org/jira/browse/HTTPCLIENT-614
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: Nightly Builds
> Reporter: Julius Davies
> Priority: Minor
>
> We're now doing a decent job for checking the CN of the x509 cert with https:
> http://issues.apache.org/jira/browse/HTTPCLIENT-613
> I think the patch for HTTPCLIENT-613 should cover 99.9% of the users out there. But there are some more esoteric possibilities, so I think Oleg is right. We need to let the user change the strategy, or provide their own strategy if they want to.
> Some additional things to think about:
> - http://wiki.cacert.org/wiki/VhostTaskForce !!! CN is depreciated?!?! (I am not able to find a popular website on HTTPS that isn't using CN!)
> - [*.example.com] matches subdomains [a.b.example.com] on Firefox, but not IE6. The patch for HTTPCLIENT-613 allows subdomains.
> - Should we support multiple CN's in the subject?
> - Should we support "subjectAltName=DNS:www.example.com" ? Should we support lots of them in a single cert?
> - Should we support a mix of CN and subjectAltName?
> If we do create some alternate strategies for people to try, I'd probably lean towards something like this:
> X509NameCheckingStrategy.SUN_JAVA_6 (default)
> X509NameCheckingStrategy.FIREFOX2
> X509NameCheckingStrategy.IE7
> X509NameCheckingStrategy.FIRST_CN_AND_NO_WILDCARDS (aka "STRICT")
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org