Thank your for your help. I will study these. One last question though. Since I am being asked to do this and my understanding is that this may be a bad idea, I was wondering if there is some reference e.g. in an RFC (or some other documentation) that either mandates to avoid this (i.e. reverse lookup) or at least suggests not to do it. I mean, ok I go ahead and do it but I would like to know how it is the best/standard practice for this. Any info/reference is highly appreciated. Thank you for your time Regards
From: Sam Crawford <[email protected]> To: HttpClient User Discussion <[email protected]>; am am <[email protected]> Cc: "[email protected]" <[email protected]> Sent: Friday, August 19, 2011 12:10 PM Subject: Re: HttpClient / SSL STRICT_HOSTNAME_VERIFIER Take a look at http://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/ssl/StrictHostnameVerifier.html and potentially check out the source for it too. I note that the docs for that class suggest that names in the 'subject-alt' fields of the certificate will also be accepted. Therefore, one possible option for you is to set subject-alt names in your SSL cert. Assuming you're working with self-signed certificates this should be straightforward. Alternatively you could write your own hostname verifier. The StrictHostnameVerifier (referenced above and also in your original stacktrace) is the default one, but there are others (AllowAllHostnameVerifier for example), and you could write your own that ran a reverse DNS lookup. You need to set the HostnameVerifier on the SSLSocketFactory. Thanks, Sam On 18 August 2011 15:51, am am <[email protected]> wrote: > Thank you for the response Oleg. > So the hostname comparison is always done as a literal strings? > There is no check if the name typed by the user can be mapped to the IP that > the certificate is issued? > 1)I am wondering (since perhaps erroneously I was expecting some DNS lookup) > is there an RFC recomending to do a literal comparison or is it just a common > practice? > 2)If I wanted to do the lookup would I be able to implement my custom > hostname verifier? But only to customize the behavior on this part if needed. > If you have a reference it would be highly appreciated > > Regards > > From: Oleg Kalnichevski <[email protected]> > To: HttpClient User Discussion <[email protected]> > Sent: Thursday, August 18, 2011 5:36 PM > Subject: Re: HttpClient / SSL STRICT_HOSTNAME_VERIFIER > > On Wed, 2011-08-17 at 13:56 -0700, am am wrote: >> Thank you for the reply. >> Your point makes a lot of sense. >> But you are describing a security exploit. >> This begs the question: Does this mean that a certificate is not >> supposed to be issued (ever) to an IP i.e. CN=IP? > > No, it does not. CN can be an IP. However, in this case one must always > connect to the host by its IP in order for the hostname verification to > succeed. > > Oleg > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
