[jira] Updated: (HTTPCLIENT-613) https should check CN of x509 cert

Thu, 07 Dec 2006 17:44:43 -0800 

     [ http://issues.apache.org/jira/browse/HTTPCLIENT-613?page=all ]

Julius Davies updated HTTPCLIENT-613:
-------------------------------------

    Attachment: SSLSocketFactory_improved.patch

- Better formatting on the curly braces (e.g. "} else {" now on one line).

- A few more comments.

- Hostname verification no longer throws an NPE under IBM 1.4.2 when accessing 
a server that has spurious certificates in its chain.  Instead it throws the 
underlying reason that's actually bothering IBM (IBM-1.4.x hates spurious 
certificates!).


Here's some testing:
=======================================
Ability to deal with spurious certificates in chain.
(I only tested on Linux)

Succeeds:
------------------------
IBM 1.5.0
JRockit 1.4.2
JRockit 1.5.0
Sun 1.4.2
Sun 1.5.0
Sun 1.6.0-rc

Fails:
------------------------
IBM 1.4.2



> https should check CN of x509 cert
> ----------------------------------
>
>                 Key: HTTPCLIENT-613
>                 URL: http://issues.apache.org/jira/browse/HTTPCLIENT-613
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: Nightly Builds
>            Reporter: Julius Davies
>            Priority: Critical
>             Fix For: 4.0 Alpha 1
>
>         Attachments: SSLSocketFactory.patch, SSLSocketFactory_improved.patch
>
>
> https should check CN of x509 cert
> Since we're essentially rolling our own "HttpsURLConnection",  the checking 
> provided by "javax.net.ssl.HostnameVerifier" is no longer in place.
> I have a patch I'm about to attach which caused both createSocket() methods 
> on o.a.h.conn.ssl.SSLSocketFactory to blowup:
> test1: javax.net.ssl.SSLException: hostname in certificate didn't match: 
> <vancity.com> != <www.vancity.com>
> test2: javax.net.ssl.SSLException: hostname in certificate didn't match: 
> <vancity.com> != <www.vancity.com>
> Hopefully people agree that this is desirable.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to