[
https://issues.apache.org/jira/browse/HTTPCLIENT-1802?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Suphannee Sivakorn updated HTTPCLIENT-1802:
-------------------------------------------
Description:
1. Matching commonName in case sensitive manner when wildcard presents
(violation of RFC 6125 and RFC 5280)
HttpClient matches certificate commonName in the case sensitive manner
when there is a wildcard presents in the certificate commonName, for
example, given commonName as "*.google.com", HttpClient matches
"foo.google.com", it however does not match "foo.Google.com". We found
that this behavior is inconsistent with section 6.4.4 of RFC 6125
specification -- "If the client chooses to compare a reference
identifier of type CN-ID against that string, it MUST follow the
comparison rules for the DNS domain name portion of an identifier of
type DNS-ID, SRV-ID, or URI-ID". Note that matching DNS-ID, SRV-ID and
URI-ID all are in case insensitive manner (RFC 5280).
Testing certificate attached: s_google_com.pem
Testing hostname: foo.Google.com
Expected behavior: match
2. Attempting to match commonName when SubjectAltName identifier presents
Section 6.3 of RFC 6125 prohibits clients from attempting to match
certificate CN if the presented identifiers include a DNS-ID, SRV-ID,
URI-ID, or any application-specific identifier types supported by the
client. We found that HttpClient violates this requirement as it
attempts to match CN even when there is a subjectAltName identifier
presents e.g., IP address. However, the library does not attempt to
match certificate CN when certificate subjectAltName DNS presents.
Testing certificate attached: 1_1_1_1.pem
Testing hostname: dummy-value.com
Expected behavior: no match
Credit:
Suphannee Sivakorn
George Argyros
Kexin Pei
Prof. Suman Jana
was:
1. Matching commonName in case sensitive manner when wildcard presents
(violation of RFC 6125 and RFC 5280)
HttpClient matches certificate commonName in the case sensitive manner
when there is a wildcard presents in the certificate commonName, for
example, given commonName as "*.google.com", HttpClient matches
"foo.google.com", it however does not match "foo.Google.com". We found
that this behavior is inconsistent with section 6.4.4 of RFC 6125
specification -- "If the client chooses to compare a reference
identifier of type CN-ID against that string, it MUST follow the
comparison rules for the DNS domain name portion of an identifier of
type DNS-ID, SRV-ID, or URI-ID". Note that matching DNS-ID, SRV-ID and
URI-ID all are in case insensitive manner (RFC 5280).
Testing certificate attached: s_google_com.pem
Testing hostname: foo.Google.com
Expected behavior: match
2. Attempting to match commonName when SubjectAltName identifier presents
Section 6.3 of RFC 6125 prohibits clients from attempting to match
certificate CN if the presented identifiers include a DNS-ID, SRV-ID,
URI-ID, or any application-specific identifier types supported by the
client. We found that HttpClient violates this requirement as it
attempts to match CN even when there is a subjectAltName identifier
presents e.g., IP address. However, the library does not attempt to
match certificate CN when certificate subjectAltName DNS presents.
Testing certificate attached: 1_1_1_1.pem
Testing hostname: dummy-value.com
Expected behavior: no match
> RFC violations in hostname checking
> -----------------------------------
>
> Key: HTTPCLIENT-1802
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1802
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 4.5.2
> Reporter: Suphannee Sivakorn
> Assignee: Oleg Kalnichevski
> Priority: Minor
> Fix For: 4.5.3, 5.0 Alpha2
>
> Attachments: 1_1_1_1.pem, s_google_com.pem
>
>
> 1. Matching commonName in case sensitive manner when wildcard presents
> (violation of RFC 6125 and RFC 5280)
> HttpClient matches certificate commonName in the case sensitive manner
> when there is a wildcard presents in the certificate commonName, for
> example, given commonName as "*.google.com", HttpClient matches
> "foo.google.com", it however does not match "foo.Google.com". We found
> that this behavior is inconsistent with section 6.4.4 of RFC 6125
> specification -- "If the client chooses to compare a reference
> identifier of type CN-ID against that string, it MUST follow the
> comparison rules for the DNS domain name portion of an identifier of
> type DNS-ID, SRV-ID, or URI-ID". Note that matching DNS-ID, SRV-ID and
> URI-ID all are in case insensitive manner (RFC 5280).
> Testing certificate attached: s_google_com.pem
> Testing hostname: foo.Google.com
> Expected behavior: match
> 2. Attempting to match commonName when SubjectAltName identifier presents
> Section 6.3 of RFC 6125 prohibits clients from attempting to match
> certificate CN if the presented identifiers include a DNS-ID, SRV-ID,
> URI-ID, or any application-specific identifier types supported by the
> client. We found that HttpClient violates this requirement as it
> attempts to match CN even when there is a subjectAltName identifier
> presents e.g., IP address. However, the library does not attempt to
> match certificate CN when certificate subjectAltName DNS presents.
> Testing certificate attached: 1_1_1_1.pem
> Testing hostname: dummy-value.com
> Expected behavior: no match
> Credit:
> Suphannee Sivakorn
> George Argyros
> Kexin Pei
> Prof. Suman Jana
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
