You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Julius Davies (JIRA)" <ji...@apache.org> on 2006/12/19 19:47:21 UTC
[jira] Created: (HTTPCLIENT-617) Hostname verification: turn off
wildcards when CN is an IP address
Hostname verification: turn off wildcards when CN is an IP address
-------------------------------------------------------------------
Key: HTTPCLIENT-617
URL: http://issues.apache.org/jira/browse/HTTPCLIENT-617
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpConn
Affects Versions: Nightly Builds
Reporter: Julius Davies
Priority: Minor
Hostname verification: turn off wildcards when CN is an IP address. This is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
Example - don't allow:
CN=*.114.102.2
I'm thinking of grabbing the substring following the final dot, and running it through "Integer.parseInt()". If the NumberFormatException isn't thrown (so Integer.parseInt() actually worked!), then I'll turn off wildcard matching. Notice that this won't be a problem with IP6 addresses, since they don't use dots. It's only a problem with IP4, where the meaning of the dots clashes with dots in domain names.
Note: when I turn off wildcard matching, I still attempt an exact match with the hostname. If through some weird mechanism the client is actually able to use a hostname such as "https://*.114.102.2/", then they will be okay if that's what the certificate on the server contains.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
[jira] Commented: (HTTPCLIENT-617) Hostname verification: turn off
wildcards when CN is an IP address
Posted by "Julius Davies (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/HTTPCLIENT-617?page=comments#action_12459729 ]
Julius Davies commented on HTTPCLIENT-617:
------------------------------------------
good point
I'll run Character.isDigit( ) against each character of that last sub-string, instead of Integer.parseInt(). That way even unicode digits in Arabic will be caught. :-)
> Hostname verification: turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
> Key: HTTPCLIENT-617
> URL: http://issues.apache.org/jira/browse/HTTPCLIENT-617
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: Nightly Builds
> Reporter: Julius Davies
> Priority: Minor
>
> Hostname verification: turn off wildcards when CN is an IP address. This is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running it through "Integer.parseInt()". If the NumberFormatException isn't thrown (so Integer.parseInt() actually worked!), then I'll turn off wildcard matching. Notice that this won't be a problem with IP6 addresses, since they don't use dots. It's only a problem with IP4, where the meaning of the dots clashes with dots in domain names.
> Note: when I turn off wildcard matching, I still attempt an exact match with the hostname. If through some weird mechanism the client is actually able to use a hostname such as "https://*.114.102.2/", then they will be okay if that's what the certificate on the server contains.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
[jira] Commented: (HTTPCLIENT-617) Hostname verification: turn off
wildcards when CN is an IP address
Posted by "Roland Weber (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/HTTPCLIENT-617?page=comments#action_12459728 ]
Roland Weber commented on HTTPCLIENT-617:
-----------------------------------------
Hi Julius,
throwing an exception is generally a very expensive operation. Code that throws and catches exceptions in the normal course of operations is _highly_ questionable. This is HttpClient 4.x, so the prerequisite is Java 1.4 which already supports regular expressions. If you have to check a string for a format as simple as this, please use a precompiled regular expression. If you're not familiar with the regexp format, I'll help you out.
cheers,
Roland
> Hostname verification: turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
> Key: HTTPCLIENT-617
> URL: http://issues.apache.org/jira/browse/HTTPCLIENT-617
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: Nightly Builds
> Reporter: Julius Davies
> Priority: Minor
>
> Hostname verification: turn off wildcards when CN is an IP address. This is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running it through "Integer.parseInt()". If the NumberFormatException isn't thrown (so Integer.parseInt() actually worked!), then I'll turn off wildcard matching. Notice that this won't be a problem with IP6 addresses, since they don't use dots. It's only a problem with IP4, where the meaning of the dots clashes with dots in domain names.
> Note: when I turn off wildcard matching, I still attempt an exact match with the hostname. If through some weird mechanism the client is actually able to use a hostname such as "https://*.114.102.2/", then they will be okay if that's what the certificate on the server contains.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
[jira] Commented: (HTTPCLIENT-617) Hostname verification: turn off
wildcards when CN is an IP address
Posted by "Ortwin Glück (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/HTTPCLIENT-617?page=comments#action_12459865 ]
Ortwin Glück commented on HTTPCLIENT-617:
-----------------------------------------
It would be good to have a couple of tool functions to check for these cases:
isIPv4Address
isIPv6Address
Pitty the InetAddress class doesn't provide this functionality in an inexpensive way.
> Hostname verification: turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
> Key: HTTPCLIENT-617
> URL: http://issues.apache.org/jira/browse/HTTPCLIENT-617
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: Nightly Builds
> Reporter: Julius Davies
> Priority: Minor
>
> Hostname verification: turn off wildcards when CN is an IP address. This is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running it through "Integer.parseInt()". If the NumberFormatException isn't thrown (so Integer.parseInt() actually worked!), then I'll turn off wildcard matching. Notice that this won't be a problem with IP6 addresses, since they don't use dots. It's only a problem with IP4, where the meaning of the dots clashes with dots in domain names.
> Note: when I turn off wildcard matching, I still attempt an exact match with the hostname. If through some weird mechanism the client is actually able to use a hostname such as "https://*.114.102.2/", then they will be okay if that's what the certificate on the server contains.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
[jira] Commented: (HTTPCLIENT-617) Hostname verification: turn off
wildcards when CN is an IP address
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12533430 ]
Oleg Kalnichevski commented on HTTPCLIENT-617:
----------------------------------------------
Julius,
I added a utility class InetAddressUtils which can be used to test if a string represents a valid IPv4 or IPv6 address.
http://svn.apache.org/repos/asf/jakarta/httpcomponents/httpclient/trunk/module-client/src/main/java/org/apache/http/conn/util/InetAddressUtils.java
What else needs to be done to close this issue?
Oleg
> Hostname verification: turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
> Key: HTTPCLIENT-617
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-617
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: Snapshot
> Reporter: Julius Davies
> Priority: Minor
> Fix For: 4.0 Alpha 2
>
>
> Hostname verification: turn off wildcards when CN is an IP address. This is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running it through "Integer.parseInt()". If the NumberFormatException isn't thrown (so Integer.parseInt() actually worked!), then I'll turn off wildcard matching. Notice that this won't be a problem with IP6 addresses, since they don't use dots. It's only a problem with IP4, where the meaning of the dots clashes with dots in domain names.
> Note: when I turn off wildcard matching, I still attempt an exact match with the hostname. If through some weird mechanism the client is actually able to use a hostname such as "https://*.114.102.2/", then they will be okay if that's what the certificate on the server contains.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
[jira] Updated: (HTTPCLIENT-617) Hostname verification: turn off
wildcards when CN is an IP address
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/HTTPCLIENT-617?page=all ]
Oleg Kalnichevski updated HTTPCLIENT-617:
-----------------------------------------
Fix Version/s: 4.0 Alpha 1
> Hostname verification: turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
> Key: HTTPCLIENT-617
> URL: http://issues.apache.org/jira/browse/HTTPCLIENT-617
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: Nightly Builds
> Reporter: Julius Davies
> Priority: Minor
> Fix For: 4.0 Alpha 1
>
>
> Hostname verification: turn off wildcards when CN is an IP address. This is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running it through "Integer.parseInt()". If the NumberFormatException isn't thrown (so Integer.parseInt() actually worked!), then I'll turn off wildcard matching. Notice that this won't be a problem with IP6 addresses, since they don't use dots. It's only a problem with IP4, where the meaning of the dots clashes with dots in domain names.
> Note: when I turn off wildcard matching, I still attempt an exact match with the hostname. If through some weird mechanism the client is actually able to use a hostname such as "https://*.114.102.2/", then they will be okay if that's what the certificate on the server contains.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
[jira] Resolved: (HTTPCLIENT-617) Hostname verification: turn off
wildcards when CN is an IP address
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski resolved HTTPCLIENT-617.
------------------------------------------
Resolution: Fixed
Patch checked in. Many thanks, Julius.
Test cases would be very welcome, as always.
Oleg
> Hostname verification: turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
> Key: HTTPCLIENT-617
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-617
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: Snapshot
> Reporter: Julius Davies
> Priority: Minor
> Fix For: 4.0 Alpha 2
>
> Attachments: guard_against_ip4_wildcard.patch
>
>
> Hostname verification: turn off wildcards when CN is an IP address. This is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running it through "Integer.parseInt()". If the NumberFormatException isn't thrown (so Integer.parseInt() actually worked!), then I'll turn off wildcard matching. Notice that this won't be a problem with IP6 addresses, since they don't use dots. It's only a problem with IP4, where the meaning of the dots clashes with dots in domain names.
> Note: when I turn off wildcard matching, I still attempt an exact match with the hostname. If through some weird mechanism the client is actually able to use a hostname such as "https://*.114.102.2/", then they will be okay if that's what the certificate on the server contains.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
[jira] Updated: (HTTPCLIENT-617) Hostname verification: turn off
wildcards when CN is an IP address
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski updated HTTPCLIENT-617:
-----------------------------------------
Fix Version/s: (was: 4.0 Alpha 1)
4.0 Alpha 2
> Hostname verification: turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
> Key: HTTPCLIENT-617
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-617
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: Nightly Builds
> Reporter: Julius Davies
> Priority: Minor
> Fix For: 4.0 Alpha 2
>
>
> Hostname verification: turn off wildcards when CN is an IP address. This is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running it through "Integer.parseInt()". If the NumberFormatException isn't thrown (so Integer.parseInt() actually worked!), then I'll turn off wildcard matching. Notice that this won't be a problem with IP6 addresses, since they don't use dots. It's only a problem with IP4, where the meaning of the dots clashes with dots in domain names.
> Note: when I turn off wildcard matching, I still attempt an exact match with the hostname. If through some weird mechanism the client is actually able to use a hostname such as "https://*.114.102.2/", then they will be okay if that's what the certificate on the server contains.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
[jira] Commented: (HTTPCLIENT-617) Hostname verification: turn off
wildcards when CN is an IP address
Posted by "Roland Weber (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/HTTPCLIENT-617?page=comments#action_12459735 ]
Roland Weber commented on HTTPCLIENT-617:
-----------------------------------------
Hi Julius,
I'm not sure that an IP address is allowed to have anything but US-ASCII digits 0-9. And instead of hand-parsing, you could just use a precompiled regular expression... ;-) The "precompiled" is important here. If it's not precompiled, hand-parsing will definitely be more efficient.
cheers,
Roland
> Hostname verification: turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
> Key: HTTPCLIENT-617
> URL: http://issues.apache.org/jira/browse/HTTPCLIENT-617
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: Nightly Builds
> Reporter: Julius Davies
> Priority: Minor
>
> Hostname verification: turn off wildcards when CN is an IP address. This is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running it through "Integer.parseInt()". If the NumberFormatException isn't thrown (so Integer.parseInt() actually worked!), then I'll turn off wildcard matching. Notice that this won't be a problem with IP6 addresses, since they don't use dots. It's only a problem with IP4, where the meaning of the dots clashes with dots in domain names.
> Note: when I turn off wildcard matching, I still attempt an exact match with the hostname. If through some weird mechanism the client is actually able to use a hostname such as "https://*.114.102.2/", then they will be okay if that's what the certificate on the server contains.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
[jira] Updated: (HTTPCLIENT-617) Hostname verification: turn off
wildcards when CN is an IP address
Posted by "Julius Davies (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Julius Davies updated HTTPCLIENT-617:
-------------------------------------
Attachment: guard_against_ip4_wildcard.patch
Thanks, Oleg! Here's what I had in mind (see attached patch). I'll try and put together a junit test for this - hopefully soon (famous last words). Unfortunately I have to remember how to use openssl to generate an X509 cert with CN=*.1.2.3, but should hopefully find time this weekend.
yours,
Julius
> Hostname verification: turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
> Key: HTTPCLIENT-617
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-617
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: Snapshot
> Reporter: Julius Davies
> Priority: Minor
> Fix For: 4.0 Alpha 2
>
> Attachments: guard_against_ip4_wildcard.patch
>
>
> Hostname verification: turn off wildcards when CN is an IP address. This is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running it through "Integer.parseInt()". If the NumberFormatException isn't thrown (so Integer.parseInt() actually worked!), then I'll turn off wildcard matching. Notice that this won't be a problem with IP6 addresses, since they don't use dots. It's only a problem with IP4, where the meaning of the dots clashes with dots in domain names.
> Note: when I turn off wildcard matching, I still attempt an exact match with the hostname. If through some weird mechanism the client is actually able to use a hostname such as "https://*.114.102.2/", then they will be okay if that's what the certificate on the server contains.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org