Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-617

Hostname verification: turn off wildcards when CN is an IP address

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • None
    • 4.0 Alpha 2
    • HttpClient (classic)
    • None

    Description

      Hostname verification: turn off wildcards when CN is an IP address. This is a further improvement on HTTPCLIENT-613 and HTTPCLIENT-614.

      Example - don't allow:
      CN=*.114.102.2

      I'm thinking of grabbing the substring following the final dot, and running it through "Integer.parseInt()". If the NumberFormatException isn't thrown (so Integer.parseInt() actually worked!), then I'll turn off wildcard matching. Notice that this won't be a problem with IP6 addresses, since they don't use dots. It's only a problem with IP4, where the meaning of the dots clashes with dots in domain names.

      Note: when I turn off wildcard matching, I still attempt an exact match with the hostname. If through some weird mechanism the client is actually able to use a hostname such as "https://*.114.102.2/", then they will be okay if that's what the certificate on the server contains.

      Attachments

        1. guard_against_ip4_wildcard.patch
          1.0 kB
          Julius Davies

        Activity

          People

            Unassigned Unassigned
            juliusdavies Julius Davies
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: