You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "David Jorm (JIRA)" <ji...@apache.org> on 2014/08/27 03:26:58 UTC

[jira] [Created] (HTTPCLIENT-1549) CVE-2014-3577 patch may not be RFC-compliant

David Jorm created HTTPCLIENT-1549:
--------------------------------------

             Summary: CVE-2014-3577 patch may not be RFC-compliant
                 Key: HTTPCLIENT-1549
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1549
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient
    Affects Versions: 4.3.5
            Reporter: David Jorm
            Priority: Minor


The fix for CVE-2014-3577 may not be RFC-compliant:

http://svn.apache.org/viewvc?view=revision&revision=1614065

RFC 2818 says that "the (most specific) Common Name field in the Subject field of the certificate MUST be used". I'm not sure if the most specific is the right most or the left most, but I don't believe it should pick multiple CN values from the certificate subject. Please let me know if this analysis is accurate.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org