Thank you for the response Oleg. So the hostname comparison is always done as a literal strings? There is no check if the name typed by the user can be mapped to the IP that the certificate is issued? 1)I am wondering (since perhaps erroneously I was expecting some DNS lookup) is there an RFC recomending to do a literal comparison or is it just a common practice? 2)If I wanted to do the lookup would I be able to implement my custom hostname verifier? But only to customize the behavior on this part if needed. If you have a reference it would be highly appreciated Regards
From: Oleg Kalnichevski <[email protected]> To: HttpClient User Discussion <[email protected]> Sent: Thursday, August 18, 2011 5:36 PM Subject: Re: HttpClient / SSL STRICT_HOSTNAME_VERIFIER On Wed, 2011-08-17 at 13:56 -0700, am am wrote: > Thank you for the reply. > Your point makes a lot of sense. > But you are describing a security exploit. > This begs the question: Does this mean that a certificate is not > supposed to be issued (ever) to an IP i.e. CN=IP? No, it does not. CN can be an IP. However, in this case one must always connect to the host by its IP in order for the hostname verification to succeed. Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
