You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Julius Davies <ju...@gmail.com> on 2007/02/05 15:05:35 UTC
Re: [httpclient] [ssl] 4.0's CN verification might cause some headaches for users
Thanks, everyone, for your comments! I didn't realize Httpclient-4.0
was going to be such a dramatic change to the consumers. Since that's
the case this isn't such a big deal.
Mind you, upgrading (or maybe "switching" is a better word) to
httpclient-4.0 should only affect the client code. This change can
require people to fix their client, their server, and their DNS, and
this issue might not showup for people until they hit their production
environments. I imagine it will be a little stressful!
Regarding:
https-no-host-verify://
https-completely-insecure://
I agree with Roland and Michael that it is best if people not use them
at all. But I see so many people just blindly using "easy" on the
"httpclient-user" mailing list, I thought maybe
"https-completely-insecure://" would scare them off.
But I also agree that I'm probably being foolish, and that including
it might just encourage more people!
(I wonder if those schemes would have helped the public PKI situation
had they been part of the standards. Probably not.)
--
yours,
Julius Davies
416-652-0183
http://juliusdavies.ca/
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: [httpclient] [ssl] 4.0's CN verification might cause some
headaches for users
Posted by Julius Davies <ju...@cucbc.com>.
Hi, Oleg, Jim, Martin, others on httpcomponents-dev,
In reply to Oleg's question:
On Mon, 2007-05-02 at 17:58 +0100, Oleg Kalnichevski wrote:
> Folks,
>
> I think there should no longer be any contrib SSL stuff in HttpClient
> 4.0, easy or otherwise. The users should simply get directed to Commons
> SSL / SSLUtils / whatever
>
> Julius,
>
> Where did the process get stuck again?
>
> Oleg
Here's a status update on not-yet-commons-ssl:
- not-yet-commons-ssl-0.3.5 released from
"http://juliusdavies.ca/commons-ssl/" on January 1st with better CN
verification (inspired by HTTPCLIENT-614 issue).
https://issues.apache.org/jira/browse/HTTPCLIENT-614)
- Mailing list started up. 4 subscribers! Averaging 2 posts per
month! :-)
http://lists.juliusdavies.ca/listinfo.cgi/not-yet-commons-ssl-juliusdavies.ca/
- I think n-y-c-ssl is averaging about 2 downloads a day.
Jim kindly offered to sign a copy of the CCLA and send it back to CUCBC.
I sent Jim a self-addressed stamped envelope (hard to find U.S. stamps
in Canada!) on December 12th, and now I'm just waiting for the CCLA to
showup at CUCBC before I send an email to the Incubation PMC.
Hopefully the S.A.S.E. arrived and was large enough to hold the CCLA!
If not, I can send another one.
I'm doing things weird by doing the CCLA first, but I think that's the
most critical issue to get out of the way so that people can safely
download the library and play around with it.
yours,
Julius
--
Julius Davies, Senior Application Developer, Product Development
T 416-652-0183 | juliusdavies@cucbc.com
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: [httpclient] [ssl] 4.0's CN verification might cause some headaches
for users
Posted by Roland Weber <ht...@dubioso.net>.
Hi Oleg,
> I think there should no longer be any contrib SSL stuff in HttpClient
> 4.0, easy or otherwise. The users should simply get directed to Commons
> SSL / SSLUtils / whatever
fair enough. So it will just be clear statements in the SSL guide 4.0.
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: [httpclient] [ssl] 4.0's CN verification might cause some
headaches for users
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Mon, 2007-02-05 at 17:50 +0100, Roland Weber wrote:
> Hi Julius,
>
> > Mind you, upgrading (or maybe "switching" is a better word) to
> > httpclient-4.0 should only affect the client code. This change can
> > require people to fix their client, their server, and their DNS, and
> > this issue might not showup for people until they hit their production
> > environments. I imagine it will be a little stressful!
>
> Thanks for bringing it to our attention. We will remember it by the
> time we're writing an SSL guide for 4.0. And if it hits them only
> in production, their integration and staging environments aren't
> good enough ;-)
>
> > I agree with Roland and Michael that it is best if people not use them
> > at all. But I see so many people just blindly using "easy" on the
> > "httpclient-user" mailing list, I thought maybe
> > "https-completely-insecure://" would scare them off.
>
> We'll be addressing that in the SSL 4.0 guide, too. And I'll see to
> it that the "EasySSLProtocolSocketFactory" changes it's name not only
> after the "SSL" part :-)
>
Folks,
I think there should no longer be any contrib SSL stuff in HttpClient
4.0, easy or otherwise. The users should simply get directed to Commons
SSL / SSLUtils / whatever
Julius,
Where did the process get stuck again?
Oleg
> > (I wonder if those schemes would have helped the public PKI situation
> > had they been part of the standards. Probably not.)
>
> Hardly. The point of PKI is to establish a chain of trust.
> You can't do that by removing the trust.
>
> cheers,
> Roland
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: [httpclient] [ssl] 4.0's CN verification might cause some headaches
for users
Posted by Roland Weber <ht...@dubioso.net>.
Hi Julius,
> Mind you, upgrading (or maybe "switching" is a better word) to
> httpclient-4.0 should only affect the client code. This change can
> require people to fix their client, their server, and their DNS, and
> this issue might not showup for people until they hit their production
> environments. I imagine it will be a little stressful!
Thanks for bringing it to our attention. We will remember it by the
time we're writing an SSL guide for 4.0. And if it hits them only
in production, their integration and staging environments aren't
good enough ;-)
> I agree with Roland and Michael that it is best if people not use them
> at all. But I see so many people just blindly using "easy" on the
> "httpclient-user" mailing list, I thought maybe
> "https-completely-insecure://" would scare them off.
We'll be addressing that in the SSL 4.0 guide, too. And I'll see to
it that the "EasySSLProtocolSocketFactory" changes it's name not only
after the "SSL" part :-)
> (I wonder if those schemes would have helped the public PKI situation
> had they been part of the standards. Probably not.)
Hardly. The point of PKI is to establish a chain of trust.
You can't do that by removing the trust.
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org