Julius, Thanks for testing it. It'd be nice to have a test case for this kind of forged certificates in the JUnit test suite, actually. Would you be willing to create one?
Funny enough, I was pretty sure that no Java application would ever be affected by this bug. Because \0 is an ordinary character in Java, and not a string terminator. Thanks. Ortwin Julius Davies wrote: > Hi, HttpComponents, and Not-Yet-Commons-SSL, > > > I saw an interesting link on Justin Mason's weblog (via Planet Apache): > > http://taint.org/2009/11/12/230503a.html > > Eventually you find this link: > > [Noisebridge-discuss] Merry Certmas! CN=*\x00thoughtcrime.noisebridge.net > > https://www.noisebridge.net/pipermail/noisebridge-discuss/2009-September/008400.html > > > > Just thought I'd let people know that our Hostname Verifier is > resistant to this. I think the resistance is coming from the way Java > builds the string, because here is the warning I got when I tried to > use the cert: > > > javax.net.ssl.SSLException: > hostname in certificate didn't match: <localhost> != > <*thoughtcrime.noisebridge.net> > at > org.apache.commons.ssl.HostnameVerifier$AbstractVerifier.check(HostnameVerifier.java:415) > > > But even if Java didn't build the String that way, I think we'd still > be resistant, because if I remember correctly, the HttpClient / > Not-Yet-Commons-SSL Hostname verifier insists on their being at least > two dots (e.g. *.a.com) in a wildcard cert. > > > A feather in my cap! :-) > > -- [web] http://www.odi.ch/ [blog] http://www.odi.ch/weblog/ [pgp] key 0x81CF3416 finger print F2B1 B21F F056 D53E 5D79 A5AF 02BE 70F5 81CF 3416 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
