You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Pierre-Arnaud Marcelot (Created) (JIRA)" <ji...@apache.org> on 2012/02/01 10:50:58 UTC

[jira] [Created] (DIRAPI-72) Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6

Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6
--------------------------------------------------------------------------------------------

                 Key: DIRAPI-72
                 URL: https://issues.apache.org/jira/browse/DIRAPI-72
             Project: Directory Client API
          Issue Type: Improvement
    Affects Versions: 1.0.0-M9
            Reporter: Pierre-Arnaud Marcelot
            Assignee: Pierre-Arnaud Marcelot
             Fix For: 1.0.0-M11


Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6.

See DIRAPI-69 (startTLS hostname verification) for more background information.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (DIRAPI-72) Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6

Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/DIRAPI-72?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emmanuel Lecharny updated DIRAPI-72:
------------------------------------

    Fix Version/s:     (was: 1.0.0-M13)
                   1.0.0-M14
    
> Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6
> --------------------------------------------------------------------------------------------
>
>                 Key: DIRAPI-72
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-72
>             Project: Directory Client API
>          Issue Type: Improvement
>    Affects Versions: 1.0.0-M9
>            Reporter: Pierre-Arnaud Marcelot
>            Assignee: Pierre-Arnaud Marcelot
>             Fix For: 1.0.0-M14
>
>
> Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6.
> See DIRAPI-69 (startTLS hostname verification) for more background information.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (DIRAPI-72) Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6

Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/DIRAPI-72?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emmanuel Lecharny updated DIRAPI-72:
------------------------------------

    Fix Version/s:     (was: 1.0.0-M12)
                   1.0.0-M13
    
> Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6
> --------------------------------------------------------------------------------------------
>
>                 Key: DIRAPI-72
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-72
>             Project: Directory Client API
>          Issue Type: Improvement
>    Affects Versions: 1.0.0-M9
>            Reporter: Pierre-Arnaud Marcelot
>            Assignee: Pierre-Arnaud Marcelot
>             Fix For: 1.0.0-M13
>
>
> Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6.
> See DIRAPI-69 (startTLS hostname verification) for more background information.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (DIRAPI-72) Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6

Posted by "Daniel Fisher (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/DIRAPI-72?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13273371#comment-13273371 ] 

Daniel Fisher commented on DIRAPI-72:
-------------------------------------

I have an implementation that performs hostname verification like JNDI does for startTLS. However it may be more than what you want.

Here is the trust manager: http://code.google.com/p/vt-middleware/source/browse/ldaptive/core/trunk/src/main/java/org/ldaptive/ssl/HostnameVerifyingTrustManager.java
It delegates to a hostname verifier: http://code.google.com/p/vt-middleware/source/browse/ldaptive/core/trunk/src/main/java/org/ldaptive/ssl/CertificateHostnameVerifier.java
And I provide a default hostname verifier here: http://code.google.com/p/vt-middleware/source/browse/ldaptive/core/trunk/src/main/java/org/ldaptive/ssl/DefaultHostnameVerifier.java
Which is where the real work is done.
On top of all that, clients are going to want hostname verification *in addition* to the standard trust manager used in the SSL handshake.
Which means you need a class like this: http://code.google.com/p/vt-middleware/source/browse/ldaptive/core/trunk/src/main/java/org/ldaptive/ssl/AggregateTrustManager.java
configured with the standard trust manager plus the hostname verifier.

Using trust managers for hostname verification isn't particularly clean, but it does work. If you're interested in me contributing this code or something like it, just let me know.
I don't think you'll be able to get away from something like the aggregate trust manager, but other classes could be simplified at the cost of some flexibility.

                
> Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6
> --------------------------------------------------------------------------------------------
>
>                 Key: DIRAPI-72
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-72
>             Project: Directory Client API
>          Issue Type: Improvement
>    Affects Versions: 1.0.0-M9
>            Reporter: Pierre-Arnaud Marcelot
>            Assignee: Pierre-Arnaud Marcelot
>             Fix For: 1.0.0-M12
>
>
> Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6.
> See DIRAPI-69 (startTLS hostname verification) for more background information.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira