Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6762

DefaultHostnameVerifier fails for non-root wildcard SAN DNSName entries

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 3.1.4
    • 3.1.5
    • JAX-RS, Transports
    • None
    • Unknown

    Description

      DefaultHostnameVerifier, which is used by default by the JAX-RS ClientBuilder implementation in CXF (and which cannot be overridden without also overriding the SSLContext, due to CXF-6761) improperly validates the request hostname against the DNSName values from the SAN section of a certificate when matching wildcards.

      For example, the following works:
      Hostname = my.test.com -> DNSName = *.test.com

      But the following does not:
      Hostname = 1.my.test.com -> DNSName = *.my.test.com

      The reason this fails is that the validation code erroneously assumes (in multiple places) that wildcards only ever exist on the root domain.

      The logic should be improved to allow the wildcard to be used to replace 1 domain name component or component fragment (comments in the code indicate that this is its purpose, but it fails at this).

      Attachments

        Activity

          People

            coheigea Colm O hEigeartaigh
            chribble Chris Ribble
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 48h
                48h
                Remaining:
                Remaining Estimate - 48h
                48h
                Logged:
                Time Spent - Not Specified
                Not Specified