[HTTPCLIENT-2149] DefaultHostnameVerifier should use CN matching when no dNSName present - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 5.0.4, 5.1
Component/s: HttpClient (classic)
Labels:
None

Description

RFC 2818 3.1 says: "If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used."

Consider a certificate having a (non-empty) subjectAltName extension containing only entries of type SubjectName.IP, and suppose that DefaultHostnameVerifier.verify(String, X509Certificate) is called with a host of type HostNameType.DNS. Then matchDNSName will be called to try and match host against subjectAlts and will fail since there are no dNSName entries to match against.

However per the RFC 2818 requirement above, having found no dNSName entries, the check should fall back to matching against the CN.

Attachments

Issue Links

causes

HTTPCLIENT-2280 HostnameVerifier does not support using IP address in CN

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Peter Dettman

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 09/Apr/21 07:35

Updated:: 21/Jun/23 14:00

Resolved:: 10/Apr/21 09:55

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2h 10m