[
https://issues.apache.org/jira/browse/HTTPCLIENT-1051?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13003555#comment-13003555
]
Oleg Kalnichevski commented on HTTPCLIENT-1051:
-----------------------------------------------
The first scenario you are describing would also require involvement of green
men from Mars and the malicious 4.3.2.1 server sending a certificate trusted by
the client to be practical.
Oleg
> SSL connections cannot be established using resolvable IP address
> -----------------------------------------------------------------
>
> Key: HTTPCLIENT-1051
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1051
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: 4.1 Final
> Reporter: Alex Dupre
> Priority: Minor
>
> HttpClient 4.1 introduced a regression in establishing SSL connections to
> remote peers (it seems this is a common regression for major httpclient
> updates, see HTTPCLIENT-803).
> The new SSLSocketFactory.connectSocket method calls the X509HostnameVerifier
> with InetSocketAddress.getHostName() parameter. When the selected IP address
> has a reverse lookup name, the verifier is called with the resolved name, and
> so the IP check fails.
> 4.0 release checked for original ip/hostname, but this cannot be done with
> the new connectSocket() method.
> The TestHostnameVerifier.java only checks 127.0.0.1/.2 and so masked the
> issue, because the matching certificate has both "localhost" and "127.0.0.1",
> but actually only "localhost" is matched. A test case with 8.8.8.8 would be
> better.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
