massdosage commented on code in PR #566:
URL:
https://github.com/apache/httpcomponents-client/pull/566#discussion_r1718197205
##########
httpclient5/src/test/java/org/apache/hc/client5/http/ssl/TestDefaultHostnameVerifier.java:
##########
@@ -258,11 +259,11 @@ void testIdentityMatching() {
Assertions.assertTrue(DefaultHostnameVerifier.matchIdentity("a.b.xxx.uk",
"a.b.xxx.uk", publicSuffixMatcher));
Assertions.assertTrue(DefaultHostnameVerifier.matchIdentityStrict("a.b.xxx.uk",
"a.b.xxx.uk", publicSuffixMatcher));
-
Assertions.assertTrue(DefaultHostnameVerifier.matchIdentity("a.b.xxx.uk",
"*.b.xxx.uk", publicSuffixMatcher));
-
Assertions.assertTrue(DefaultHostnameVerifier.matchIdentityStrict("a.b.xxx.uk",
"*.b.xxx.uk", publicSuffixMatcher));
+
Assertions.assertFalse(DefaultHostnameVerifier.matchIdentity("a.b.xxx.uk",
"*.b.xxx.uk", publicSuffixMatcher));
Review Comment:
Having a wildcard certificate for a whole public suffic ("b.xx.uk" in this
case) feels like it shouldn't be allowed but we don't know enough about the
rules of SSL certs to know for sure. For now we have updated the tests to pass
according to the PSL algorithm but would value further input here.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
