[jira] Updated: (HTTPCLIENT-617) Hostname verification: turn off wildcards when CN is an IP address

Wed, 10 Oct 2007 11:04:05 -0700 

     [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Julius Davies updated HTTPCLIENT-617:
-------------------------------------

    Attachment: guard_against_ip4_wildcard.patch

Thanks, Oleg!  Here's what I had in mind (see attached patch).  I'll try and 
put together a junit test for this - hopefully soon (famous last  words).  
Unfortunately I have to remember how to use openssl to generate an X509 cert 
with CN=*.1.2.3, but should hopefully find time this weekend.

yours,

Julius

> Hostname verification:  turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-617
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-617
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpConn
>    Affects Versions: Snapshot
>            Reporter: Julius Davies
>            Priority: Minor
>             Fix For: 4.0 Alpha 2
>
>         Attachments: guard_against_ip4_wildcard.patch
>
>
> Hostname verification:   turn off wildcards when CN is an IP address.  This 
> is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running 
> it through "Integer.parseInt()".  If the NumberFormatException isn't thrown 
> (so Integer.parseInt() actually worked!), then I'll turn off wildcard 
> matching.  Notice that this won't be a problem with IP6 addresses, since they 
> don't use dots.  It's only a problem with IP4, where the meaning of the dots 
> clashes with dots in domain names.
> Note:  when I turn off wildcard matching, I still attempt an exact match with 
> the hostname.  If through some weird mechanism the client is actually able to 
> use a hostname such as "https://*.114.102.2/";, then they will be okay if 
> that's what the certificate on the server contains.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to