[
https://issues.apache.org/jira/browse/HTTPCLIENT-614?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Oleg Kalnichevski resolved HTTPCLIENT-614.
------------------------------------------
Resolution: Fixed
* Moved all concrete HostnameVerifier impls from the interface declaration to
separate public classes
* Renamed DEFAULT HostnameVerifier to BROWSER_COMPATIBLE (still used per
default, but we may want to use STRICT instead in the future)
Closing as FIXED. Many thanks for this contribution, Julius
Oleg
> allow different strategies when checking CN of x509 cert
> --------------------------------------------------------
>
> Key: HTTPCLIENT-614
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-614
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpConn
> Affects Versions: Nightly Builds
> Reporter: Julius Davies
> Fix For: 4.0 Alpha 1
>
> Attachments: ssl-better.patch, ssl-even-better.patch, ssl.patch
>
>
> We're now doing a decent job for checking the CN of the x509 cert with https:
> http://issues.apache.org/jira/browse/HTTPCLIENT-613
> I think the patch for HTTPCLIENT-613 should cover 99.9% of the users out
> there. But there are some more esoteric possibilities, so I think Oleg is
> right. We need to let the user change the strategy, or provide their own
> strategy if they want to.
> Some additional things to think about:
> - http://wiki.cacert.org/wiki/VhostTaskForce !!! CN is depreciated?!?! (I
> am not able to find a popular website on HTTPS that isn't using CN!)
> - [*.example.com] matches subdomains [a.b.example.com] on Firefox, but not
> IE6. The patch for HTTPCLIENT-613 allows subdomains.
> - Should we support multiple CN's in the subject?
> - Should we support "subjectAltName=DNS:www.example.com" ? Should we support
> lots of them in a single cert?
> - Should we support a mix of CN and subjectAltName?
> If we do create some alternate strategies for people to try, I'd probably
> lean towards something like this:
> X509NameCheckingStrategy.SUN_JAVA_6 (default)
> X509NameCheckingStrategy.FIREFOX2
> X509NameCheckingStrategy.IE7
> X509NameCheckingStrategy.FIRST_CN_AND_NO_WILDCARDS (aka "STRICT")
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
