[jira] [Created] (HTTPCLIENT-1549) CVE-2014-3577 patch may not be RFC-compliant

David Jorm (JIRA) Tue, 26 Aug 2014 18:27:02 -0700

David Jorm created HTTPCLIENT-1549:
--------------------------------------

             Summary: CVE-2014-3577 patch may not be RFC-compliant
                 Key: HTTPCLIENT-1549
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1549
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient
    Affects Versions: 4.3.5
            Reporter: David Jorm
            Priority: Minor



The fix for CVE-2014-3577 may not be RFC-compliant:

http://svn.apache.org/viewvc?view=revision&revision=1614065

RFC 2818 says that "the (most specific) Common Name field in the Subject field 
of the certificate MUST be used". I'm not sure if the most specific is the 
right most or the left most, but I don't believe it should pick multiple CN 
values from the certificate subject. Please let me know if this analysis is 
accurate.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (HTTPCLIENT-1549) CVE-2014-3577 patch may not be RFC-compliant

Reply via email to