[
https://issues.apache.org/jira/browse/CXF-6762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh reassigned CXF-6762:
----------------------------------------
Assignee: Colm O hEigeartaigh
> DefaultHostnameVerifier fails for non-root wildcard SAN DNSName entries
> -----------------------------------------------------------------------
>
> Key: CXF-6762
> URL: https://issues.apache.org/jira/browse/CXF-6762
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, Transports
> Affects Versions: 3.1.4
> Reporter: Chris Ribble
> Assignee: Colm O hEigeartaigh
> Priority: Minor
> Original Estimate: 48h
> Remaining Estimate: 48h
>
> DefaultHostnameVerifier, which is used by default by the JAX-RS ClientBuilder
> implementation in CXF (and which cannot be overridden without also overriding
> the SSLContext, due to CXF-6761) improperly validates the request hostname
> against the DNSName values from the SAN section of a certificate when
> matching wildcards.
> For example, the following works:
> Hostname = my.test.com -> DNSName = *.test.com
> But the following does not:
> Hostname = 1.my.test.com -> DNSName = *.my.test.com
> The reason this fails is that the validation code erroneously assumes (in
> multiple places) that wildcards only ever exist on the root domain.
> The logic should be improved to allow the wildcard to be used to replace 1
> domain name component or component fragment (comments in the code indicate
> that this is its purpose, but it fails at this).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
