[jira] [Commented] (DIRAPI-72) Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6

Daniel Fisher (JIRA) Fri, 11 May 2012 08:49:16 -0700

    [ 
https://issues.apache.org/jira/browse/DIRAPI-72?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13273371#comment-13273371
 ]


Daniel Fisher commented on DIRAPI-72:
-------------------------------------

I have an implementation that performs hostname verification like JNDI does for 
startTLS. However it may be more than what you want.

Here is the trust manager: 
http://code.google.com/p/vt-middleware/source/browse/ldaptive/core/trunk/src/main/java/org/ldaptive/ssl/HostnameVerifyingTrustManager.java
It delegates to a hostname verifier: 
http://code.google.com/p/vt-middleware/source/browse/ldaptive/core/trunk/src/main/java/org/ldaptive/ssl/CertificateHostnameVerifier.java
And I provide a default hostname verifier here: 
http://code.google.com/p/vt-middleware/source/browse/ldaptive/core/trunk/src/main/java/org/ldaptive/ssl/DefaultHostnameVerifier.java
Which is where the real work is done.
On top of all that, clients are going to want hostname verification *in 
addition* to the standard trust manager used in the SSL handshake.
Which means you need a class like this: 
http://code.google.com/p/vt-middleware/source/browse/ldaptive/core/trunk/src/main/java/org/ldaptive/ssl/AggregateTrustManager.java
configured with the standard trust manager plus the hostname verifier.

Using trust managers for hostname verification isn't particularly clean, but it 
does work. If you're interested in me contributing this code or something like 
it, just let me know.
I don't think you'll be able to get away from something like the aggregate 
trust manager, but other classes could be simplified at the cost of some 
flexibility.

                
> Provide a default TrustManager for hostname verification to comply with RFC 
> 2830 Section 3.6
> --------------------------------------------------------------------------------------------
>
>                 Key: DIRAPI-72
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-72
>             Project: Directory Client API
>          Issue Type: Improvement
>    Affects Versions: 1.0.0-M9
>            Reporter: Pierre-Arnaud Marcelot
>            Assignee: Pierre-Arnaud Marcelot
>             Fix For: 1.0.0-M12
>
>
> Provide a default TrustManager for hostname verification to comply with RFC 
> 2830 Section 3.6.
> See DIRAPI-69 (startTLS hostname verification) for more background 
> information.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (DIRAPI-72) Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6

Reply via email to