You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Julius Davies (JIRA)" <ji...@apache.org> on 2006/12/06 05:30:22 UTC
[jira] Updated: (HTTPCLIENT-613) https should check CN of x509 cert
[ http://issues.apache.org/jira/browse/HTTPCLIENT-613?page=all ]
Julius Davies updated HTTPCLIENT-613:
-------------------------------------
Attachment: SSLSocketFactory.patch
patch also includes fix of an NPE when using createSocket( Socket s ) [the method that upgrades pre-existing plain socket to SSLSocket].
Not sure where to put my testing code - sorry I'm such a newb! Here's the testing code:
public static void main( String[] args ) throws Exception {
String host = args[ 0 ];
SSLSocketFactory f = new SSLSocketFactory();
HttpParams params = new DefaultHttpParams();
try {
Socket s = f.createSocket( args[ 0 ], 443, null, 0, params );
exercise( host, s );
s.close();
} catch ( Exception e ) {
System.out.println( "test1: " + e );
}
try {
Socket s = new Socket( args[ 0 ], 443 );
s = f.createSocket( s, args[ 0 ], 443, true );
exercise( host, s );
s.close();
} catch ( Exception e ) {
System.out.println( "test2: " + e );
}
}
private static void exercise( String host, Socket s ) throws Exception {
InputStream in = s.getInputStream();
OutputStream out = s.getOutputStream();
out.write( ( "HEAD / HTTP/1.1\r\n" +
"host: " + host + "\r\n\r\n" ).getBytes() );
out.flush();
for ( int i = 0; i < 64; i++ ) {
int b = in.read();
if ( b == -1 ) {
break;
}
else {
System.out.print( (char) b );
}
}
System.out.println();
}
> https should check CN of x509 cert
> ----------------------------------
>
> Key: HTTPCLIENT-613
> URL: http://issues.apache.org/jira/browse/HTTPCLIENT-613
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: Nightly Builds
> Reporter: Julius Davies
> Priority: Critical
> Attachments: SSLSocketFactory.patch
>
>
> https should check CN of x509 cert
> Since we're essentially rolling our own "HttpsURLConnection", the checking provided by "javax.net.ssl.HostnameVerifier" is no longer in place.
> I have a patch I'm about to attach which caused both createSocket() methods on o.a.h.conn.ssl.SSLSocketFactory to blowup:
> test1: javax.net.ssl.SSLException: hostname in certificate didn't match: <vancity.com> != <www.vancity.com>
> test2: javax.net.ssl.SSLException: hostname in certificate didn't match: <vancity.com> != <www.vancity.com>
> Hopefully people agree that this is desirable.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org