[jira] [Commented] (HTTPCLIENT-1275) AllowAllHostnameVerifier does not prevent SSL handshake verification errors

Wed, 12 Dec 2012 12:53:22 -0800 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13530316#comment-13530316
 ] 

Oleg Kalnichevski commented on HTTPCLIENT-1275:
-----------------------------------------------

> If the purpose of AllowAllHostnameVerifier is not to prevent verification of 
> certs, then this ticket can be closed. 

It is not. HostnameVerifier is an additional security check that applies to 
trusted certificates only. It is not meant as a substitute for trust 
verification.

Oleg
                
> AllowAllHostnameVerifier does not prevent SSL handshake verification errors
> ---------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1275
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1275
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpConn
>    Affects Versions: 4.2.2
>            Reporter: Karl Wright
>            Assignee: Karl Wright
>             Fix For: 4.2.3
>
>
> In debugging unverified SSL connections for the ManifoldCF RSS connector, I 
> discovered that even with AllowAllHostnameVerifier(), which supposedly shuts 
> down SSL hostname verification, the SSLSession method getPeerCertificates() 
> can cause an exception anyway, before the overridden method is called, 
> because peer authentication has not yet occurred.
> See CONNECTORS-579 for details, and for the exact trace.
> I'm also looking for suggestions as to how to properly fix this.  One 
> possibility would be to catch the exception and pass null for the peer certs 
> to the verify method.  Since that loses the exception, though, it might be 
> better to change the method signature of the overridden verify() method and 
> include an Exception object, which could get rethrown if needed.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to