Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.0 Alpha 1
    • Component/s: HttpClient (classic)
    • Labels:
      None

      Description

      https should check CN of x509 cert

      Since we're essentially rolling our own "HttpsURLConnection", the checking provided by "javax.net.ssl.HostnameVerifier" is no longer in place.

      I have a patch I'm about to attach which caused both createSocket() methods on o.a.h.conn.ssl.SSLSocketFactory to blowup:

      test1: javax.net.ssl.SSLException: hostname in certificate didn't match: <vancity.com> != <www.vancity.com>
      test2: javax.net.ssl.SSLException: hostname in certificate didn't match: <vancity.com> != <www.vancity.com>

      Hopefully people agree that this is desirable.

        Attachments

        1. SSLSocketFactory.patch
          5 kB
          Julius Davies
        2. SSLSocketFactory_improved.patch
          7 kB
          Julius Davies
        3. SSLSocketFactory_best.patch
          8 kB
          Julius Davies

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              juliusdavies Julius Davies
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: