[
https://issues.apache.org/jira/browse/HTTPCLIENT-1097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13040574#comment-13040574
]
Sebb commented on HTTPCLIENT-1097:
----------------------------------
RFC2818 says this about wildcards:
Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.
This implies that the StrictHostnameVerifier ought to allow wildcards for
component fragments.
The RFC does not say if *oo.com or f*o.com is allowed - are such certs ever
created?
It does appear to disallow multiple wildcards - "... _the_ wildcard character
...".
I assume that the example f*.com is bad, and is not actually allowed!
In which case, wildcards are allowed if:
- there are at least 2 dots, i.e. 3 components
- there is only one * and this must be at the end of the first component
- if there are 3 components and the last one has two characters then check
against bad 2LDs
What about server*.example.com - do curl and Firefox allow this to match
server.abc.example.com?
The matching could probably be simplified if this is not allowed.
> BrowserCompatHostnameVerifier should handle wildcards in SSL certificates
> better
> --------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1097
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1097
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1
> Reporter: Hennus Bergman
> Priority: Minor
>
> I ran into a problem with SSL wildcard certificates in the class
> BrowserCompatHostnameVerifier. It handles "*.example.org" fine but
> "server*.example.org" fails to work correctly. The javadoc claims that it
> should behave the same way as curl and FireFox. In Firefox an SSL certificate
> for "server*.example.org" works fine for the host "server.example.org", using
> HttpClient it throws an exception.
> Here is an example test (JUnit4):
> package org.example.hb;
> import javax.net.ssl.SSLException;
> import org.apache.http.conn.ssl.BrowserCompatHostnameVerifier;
> import org.junit.Test;
> public class BrowserCompatHostnameVerifierTest {
> /**
> * Should not throw an exeption in the verify method.
> * @throws SSLException
> */
> @Test
> public void testVerifyStringStringArrayStringArray() throws SSLException
> {
> BrowserCompatHostnameVerifier hv = new
> BrowserCompatHostnameVerifier();
> String host = "www.example.org";
> String[] cns = {"www*.example.org"};
>
> hv.verify(host, cns, cns);
> }
> }
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
