[
https://issues.apache.org/jira/browse/HTTPCLIENT-1410?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13784007#comment-13784007
]
Sidney Beekhoven commented on HTTPCLIENT-1410:
----------------------------------------------
I even wonder if the complete check should be there at all, like it is also
stated in the comment of the BAD_COUNTRY_2LDS var:
"The [*.co.uk] problem is an interesting one. Should we just hope
* that CA's would never foolishly allow such a certificate to happen?
* Looks like we're the only implementation guarding against this.
* Firefox, Curl, Sun Java 1.4, 5, 6 don't bother with this check."
As far as i can see there is not a fixed rule set for these kind of domains?
> AbstractVerifier.acceptableCountryWildcard check not strict enough
> ------------------------------------------------------------------
>
> Key: HTTPCLIENT-1410
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1410
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.3 Final
> Reporter: Sidney Beekhoven
>
> I work at a company called info.nl in the Netherlands, so our domain is
> info.nl. We have a wildcard certificate in use for several services,
> *.info.nl.
> The AbstractVerifier has a method acceptableCountryWildcard which checks that
> you don't use eg *.co.uk as the wildcard in the certificate. The second to
> last domain part is checked against a fixed list, which includes info so our
> wildcard is not accepted.
> Apparantly there are some countries where info.<countrycode> is seen as a top
> level domain but that is not the case for the netherlands. So the check on
> this is not strict enough and should also take into account the top level
> domain.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
