You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Oleg Kalnichevski (JIRA)" <ji...@apache.org> on 2012/12/12 20:34:20 UTC

[jira] [Resolved] (HTTPCLIENT-1275) AllowAllHostnameVerifier does not prevent SSL handshake verification errors

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1275?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Oleg Kalnichevski resolved HTTPCLIENT-1275.
-------------------------------------------

    Resolution: Not A Problem

Karl,
I think there is a misunderstanding as to what a hostname verifier is supposed to do. Hostname verifier checks whether or not the certificate's subject matches the host the certificate was received from. It is primarily meant to guard against man-in-the-middle type of exploits. This has _no_ bearing on the SSL handshake and the decision as to whether the certificate is considered authentic and trusted. If you want to make HttpClient accept _any_ certificate this is what you should do

---
        SSLSocketFactory sslf = new SSLSocketFactory(new TrustStrategy() {
            public boolean isTrusted(
                    final X509Certificate[] chain, 
                    final String authType) throws CertificateException {
                // who cares?
                return true;
            }
        }, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
---

Hope this helps

Oleg
                
> AllowAllHostnameVerifier does not prevent SSL handshake verification errors
> ---------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1275
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1275
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpConn
>    Affects Versions: 4.2.2
>            Reporter: Karl Wright
>            Assignee: Karl Wright
>             Fix For: 4.2.3
>
>
> In debugging unverified SSL connections for the ManifoldCF RSS connector, I discovered that even with AllowAllHostnameVerifier(), which supposedly shuts down SSL hostname verification, the SSLSession method getPeerCertificates() can cause an exception anyway, before the overridden method is called, because peer authentication has not yet occurred.
> See CONNECTORS-579 for details, and for the exact trace.
> I'm also looking for suggestions as to how to properly fix this.  One possibility would be to catch the exception and pass null for the peer certs to the verify method.  Since that loses the exception, though, it might be better to change the method signature of the overridden verify() method and include an Exception object, which could get rethrown if needed.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org