As a temporary measure, you can certainly use the classes from 3.0.4, they should work.
We can also write our own SocketFactory that's modeled after the StrictSSLProtocolSocketFactory but allows for * certificates. Before we do that though, is anyone familiar with the security ramifications of allowing * certificates? -Scott Velpi wrote: > Hi > > I ran into trouble with the HttpClient today while doing an upgrade from > 3.0.4 > to 3.0.5: it seems HttpClient doesn't handler * certificates well :(. CAS > didn't > complain about that in older versions... > > http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/StrictSSLProtocolSocketFactory.java?view=markup > "if (hostname.equalsIgnoreCase(cn))" won't work when the name is a "*" of > course. Although a * certificate isn't the best when it comes to security, > but > it should work. > > Any idea whether you can fix this easily without having to turn off the > check, > or should I contact the HttpClient people? > Unfortunately this is a real show-stopper for me :( [I had CAS 3.0.5 and > X.509 > with LDAP lookups up&running perfectly... well... almost perfect it seems] > > > -------------------------------------- > 18:59:08,299 [ERROR] javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname > invalid: expected 'webmail4.example.be', received '*.example.be' - > org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler > > [http-444-Processor71; 2006-08-07 18:59:08,299] > javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid: expected > 'webmail4.example.be', received '*.example.be' > at > org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname(StrictSSLProtocolSocketFactory.java:303) > at > org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket(StrictSSLProtocolSocketFactory.java:223) > at > org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706) > at > org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386) > at > org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170) > at > org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396) > at > org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324) > at > org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler.authenticate(HttpBasedServiceCredentialsAuthenticatio > nHandler.java:77) > at > org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:79) > at > org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:194) > at > org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:159) > > > -------------------------------------- > > -- Velpi > _______________________________________________ > cas-dev mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas-dev > _______________________________________________ cas-dev mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas-dev
