[
https://issues.apache.org/jira/browse/HTTPCLIENT-2149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17317866#comment-17317866
]
Peter Dettman commented on HTTPCLIENT-2149:
-------------------------------------------
I'm happy to make a PR.
> DefaultHostnameVerifier should use CN matching when no dNSName present
> ----------------------------------------------------------------------
>
> Key: HTTPCLIENT-2149
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2149
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Reporter: Peter Dettman
> Priority: Minor
>
> [RFC 2818 3.1|https://tools.ietf.org/html/rfc2818#section-3.1] says: "If a
> subjectAltName extension of type dNSName is present, that MUST be used as the
> identity. Otherwise, the (most specific) Common Name field in the Subject
> field of the certificate MUST be used."
> Consider a certificate having a (non-empty) subjectAltName extension
> containing only entries of type SubjectName.IP, and suppose that
> DefaultHostnameVerifier.verify(String, X509Certificate) is called with a host
> of type HostNameType.DNS. Then matchDNSName will be called to try and match
> host against subjectAlts and will fail since there are no dNSName entries to
> match against.
> However per the RFC 2818 requirement above, having found no dNSName entries,
> the check should fall back to matching against the CN.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
