Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
3.1.4
-
None
-
Unknown
Description
DefaultHostnameVerifier, which is used by default by the JAX-RS ClientBuilder implementation in CXF (and which cannot be overridden without also overriding the SSLContext, due to CXF-6761) improperly validates the request hostname against the DNSName values from the SAN section of a certificate when matching wildcards.
For example, the following works:
Hostname = my.test.com -> DNSName = *.test.com
But the following does not:
Hostname = 1.my.test.com -> DNSName = *.my.test.com
The reason this fails is that the validation code erroneously assumes (in multiple places) that wildcards only ever exist on the root domain.
The logic should be improved to allow the wildcard to be used to replace 1 domain name component or component fragment (comments in the code indicate that this is its purpose, but it fails at this).