peterdettman commented on a change in pull request #302:
URL:
https://github.com/apache/httpcomponents-client/pull/302#discussion_r610651915
##########
File path:
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java
##########
@@ -114,18 +114,15 @@ public void verify(
matchIPv6Address(host, subjectAlts);
break;
default:
- matchDNSName(host, subjectAlts, this.publicSuffixMatcher);
+ // In case there are no SubjectName.DNS entries, fallback
to CN matching
Review comment:
That is the fallback if there were no dNSName entries to even check
against. RFC 2818 3.1: “If a subjectAltName extension of type dNSName is
present, that MUST be used as the identity. Otherwise, the (most specific)
Common Name field in the Subject field of the certificate MUST be used.”. Note
that IP addresses are singled out further down: “In some cases, the URI is
specified as an IP address rather than a hostname. In this case, the iPAddress
subjectAltName must be present in the certificate and must exactly match the IP
in the URI.”.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
