You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "Julius Davies (JIRA)" <ji...@apache.org> on 2007/10/10 19:52:51 UTC

[jira] Updated: (HTTPCLIENT-617) Hostname verification: turn off wildcards when CN is an IP address

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Julius Davies updated HTTPCLIENT-617:
-------------------------------------

    Attachment: guard_against_ip4_wildcard.patch

Thanks, Oleg!  Here's what I had in mind (see attached patch).  I'll try and put together a junit test for this - hopefully soon (famous last  words).  Unfortunately I have to remember how to use openssl to generate an X509 cert with CN=*.1.2.3, but should hopefully find time this weekend.

yours,

Julius

> Hostname verification:  turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-617
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-617
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpConn
>    Affects Versions: Snapshot
>            Reporter: Julius Davies
>            Priority: Minor
>             Fix For: 4.0 Alpha 2
>
>         Attachments: guard_against_ip4_wildcard.patch
>
>
> Hostname verification:   turn off wildcards when CN is an IP address.  This is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running it through "Integer.parseInt()".  If the NumberFormatException isn't thrown (so Integer.parseInt() actually worked!), then I'll turn off wildcard matching.  Notice that this won't be a problem with IP6 addresses, since they don't use dots.  It's only a problem with IP4, where the meaning of the dots clashes with dots in domain names.
> Note:  when I turn off wildcard matching, I still attempt an exact match with the hostname.  If through some weird mechanism the client is actually able to use a hostname such as "https://*.114.102.2/", then they will be okay if that's what the certificate on the server contains.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org