Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1802

RFC violations in hostname checking




      1. Matching commonName in case sensitive manner when wildcard presents
      (violation of RFC 6125 and RFC 5280)
      HttpClient matches certificate commonName in the case sensitive manner
      when there is a wildcard presents in the certificate commonName, for
      example, given commonName as "*.google.com", HttpClient matches
      "foo.google.com", it however does not match "foo.Google.com". We found
      that this behavior is inconsistent with section 6.4.4 of RFC 6125
      specification – "If the client chooses to compare a reference
      identifier of type CN-ID against that string, it MUST follow the
      comparison rules for the DNS domain name portion of an identifier of
      type DNS-ID, SRV-ID, or URI-ID". Note that matching DNS-ID, SRV-ID and
      URI-ID all are in case insensitive manner (RFC 5280).

      Testing certificate attached: s_google_com.pem
      Testing hostname: foo.Google.com
      Expected behavior: match

      2. Attempting to match commonName when SubjectAltName identifier presents
      Section 6.3 of RFC 6125 prohibits clients from attempting to match
      certificate CN if the presented identifiers include a DNS-ID, SRV-ID,
      URI-ID, or any application-specific identifier types supported by the
      client. We found that HttpClient violates this requirement as it
      attempts to match CN even when there is a subjectAltName identifier
      presents e.g., IP address. However, the library does not attempt to
      match certificate CN when certificate subjectAltName DNS presents.

      Testing certificate attached: 1_1_1_1.pem
      Testing hostname: dummy-value.com
      Expected behavior: no match

      Suphannee Sivakorn
      George Argyros
      Kexin Pei
      Prof. Suman Jana


        1. 1_1_1_1.pem
          1.0 kB
          Suphannee Sivakorn
        2. s_google_com.pem
          1.0 kB
          Suphannee Sivakorn



            olegk Oleg Kalnichevski
            SSivakorn Suphannee Sivakorn
            0 Vote for this issue
            1 Start watching this issue