[
https://issues.apache.org/jira/browse/HTTPCLIENT-617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Oleg Kalnichevski resolved HTTPCLIENT-617.
------------------------------------------
Resolution: Fixed
Patch checked in. Many thanks, Julius.
Test cases would be very welcome, as always.
Oleg
> Hostname verification: turn off wildcards when CN is an IP address
> -------------------------------------------------------------------
>
> Key: HTTPCLIENT-617
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-617
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: Snapshot
> Reporter: Julius Davies
> Priority: Minor
> Fix For: 4.0 Alpha 2
>
> Attachments: guard_against_ip4_wildcard.patch
>
>
> Hostname verification: turn off wildcards when CN is an IP address. This
> is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.
> Example - don't allow:
> CN=*.114.102.2
> I'm thinking of grabbing the substring following the final dot, and running
> it through "Integer.parseInt()". If the NumberFormatException isn't thrown
> (so Integer.parseInt() actually worked!), then I'll turn off wildcard
> matching. Notice that this won't be a problem with IP6 addresses, since they
> don't use dots. It's only a problem with IP4, where the meaning of the dots
> clashes with dots in domain names.
> Note: when I turn off wildcard matching, I still attempt an exact match with
> the hostname. If through some weird mechanism the client is actually able to
> use a hostname such as "https://*.114.102.2/";, then they will be okay if
> that's what the certificate on the server contains.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
