[ http://issues.apache.org/jira/browse/HTTPCLIENT-613?page=comments#action_12456768 ] Oleg Kalnichevski commented on HTTPCLIENT-613: ----------------------------------------------
Patch (with some minor tweaks) checked in. Many thanks, Julius Now, since there appears to be many ways to skin a cat (I mean to check CN of x509 cert), we should provide a means to inject a case specific implementation of the CN verifier instead of trying to cover all possible scenarios with one implementation . I think we should come up with abstract interface to represent the process of CN verification and provide multiple implementations of it (lenient, strict, IBMJSSE specific). This should also allow for better unit testing of the CN verification logic. Speaking of which, some unit tests would be just awesome. Oleg > https should check CN of x509 cert > ---------------------------------- > > Key: HTTPCLIENT-613 > URL: http://issues.apache.org/jira/browse/HTTPCLIENT-613 > Project: HttpComponents HttpClient > Issue Type: Bug > Components: HttpClient > Affects Versions: Nightly Builds > Reporter: Julius Davies > Priority: Critical > Fix For: 4.0 Alpha 1 > > Attachments: SSLSocketFactory.patch, SSLSocketFactory_best.patch, > SSLSocketFactory_improved.patch > > > https should check CN of x509 cert > Since we're essentially rolling our own "HttpsURLConnection", the checking > provided by "javax.net.ssl.HostnameVerifier" is no longer in place. > I have a patch I'm about to attach which caused both createSocket() methods > on o.a.h.conn.ssl.SSLSocketFactory to blowup: > test1: javax.net.ssl.SSLException: hostname in certificate didn't match: > <vancity.com> != <www.vancity.com> > test2: javax.net.ssl.SSLException: hostname in certificate didn't match: > <vancity.com> != <www.vancity.com> > Hopefully people agree that this is desirable. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
