[ http://issues.apache.org/jira/browse/HTTPCLIENT-613?page=comments#action_12456908 ] Julius Davies commented on HTTPCLIENT-613: ------------------------------------------
HTTPCLIENT-614 will try to address Martin's concerns. This wiki entry has an interesting catalog of browser behaviour: http://wiki.cacert.org/wiki/WildcardCertificates - IE6 doesn't allow subdomains (so follows the RFC). *.apache.org does not match "a.b.apache.org". - Firefox/Mozilla allows subdomains (breaks RFC). *.apache.org DOES MATCH "a.b.apache.org"! - New versions of Konqueror (so Safari too?) allows subdomains (breaks RFC). - Operat allows subdomains (breaks RFC). I think I'll do some experimentation on my own and test some additional clients. I'll add my findings to cacert's very handy wiki! Curious about the following (but I'm lazy so I'm just going to stick to Linux): - wget - curl - java.net.URL on the following: 1. Sun Java 1.3.1 + JSSE 2. Sun Java 1.4.2 3. Sun Java 5.0 4. Sun Java 6.0 5. IBM Java 1.4.2 6. IBM Java 5.0 7. JRockit Java 1.4.2 8. JRockit Java 5.0 > https should check CN of x509 cert > ---------------------------------- > > Key: HTTPCLIENT-613 > URL: http://issues.apache.org/jira/browse/HTTPCLIENT-613 > Project: HttpComponents HttpClient > Issue Type: Bug > Components: HttpClient > Affects Versions: Nightly Builds > Reporter: Julius Davies > Priority: Critical > Fix For: 4.0 Alpha 1 > > Attachments: SSLSocketFactory.patch, SSLSocketFactory_best.patch, > SSLSocketFactory_improved.patch > > > https should check CN of x509 cert > Since we're essentially rolling our own "HttpsURLConnection", the checking > provided by "javax.net.ssl.HostnameVerifier" is no longer in place. > I have a patch I'm about to attach which caused both createSocket() methods > on o.a.h.conn.ssl.SSLSocketFactory to blowup: > test1: javax.net.ssl.SSLException: hostname in certificate didn't match: > <vancity.com> != <www.vancity.com> > test2: javax.net.ssl.SSLException: hostname in certificate didn't match: > <vancity.com> != <www.vancity.com> > Hopefully people agree that this is desirable. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
