You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "David Jorm (JIRA)" <ji...@apache.org> on 2014/08/27 03:26:58 UTC
[jira] [Created] (HTTPCLIENT-1549) CVE-2014-3577 patch may not be
RFC-compliant
David Jorm created HTTPCLIENT-1549:
--------------------------------------
Summary: CVE-2014-3577 patch may not be RFC-compliant
Key: HTTPCLIENT-1549
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1549
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient
Affects Versions: 4.3.5
Reporter: David Jorm
Priority: Minor
The fix for CVE-2014-3577 may not be RFC-compliant:
http://svn.apache.org/viewvc?view=revision&revision=1614065
RFC 2818 says that "the (most specific) Common Name field in the Subject field of the certificate MUST be used". I'm not sure if the most specific is the right most or the left most, but I don't believe it should pick multiple CN values from the certificate subject. Please let me know if this analysis is accurate.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org