[
https://issues.apache.org/jira/browse/HTTPCLIENT-2337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17879502#comment-17879502
]
Michael Osipov commented on HTTPCLIENT-2337:
--------------------------------------------
Yes, the self-signed cert is
[valid|https://lapo.it/asn1js/#MIIDUzCCAjugAwIBAgIEAWpeaTANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZJbnRlcm1lZGlhdGUtQ0EtVEVTVC0xMB4XDTI0MDkwNTA4NDMyNVoXDTI0MDkwNTA5NDMyNVowUzENMAsGA1UECgwEVGVzdDFCMEAGA1UEAww5CAgICAgICAgICAhUaGlz8J-ZiENO8J-MtEhhcwlDdHJsCEFuZAxPdGhlclNwZWNpYWwKQ2hhcnMNMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2zoZ1jrBB8IjAIJN98sOY9Mq38dzRMEXnQai_G3C53A8vRDS1Xd5ecLr3bIUT8mHOrIDY1BmUUxqy1-BQjLyZuDGhOxuplvVCYegku6Dl1mq3WYP57tzGr-YDWibMwnpVKihSooc4dkaJQdrPNRRLWKFAmliUMSwy-L8nfVMc4s3EFWZKbMM6aRNTw6lmjsOeW7Oq9ifEIrUWfSo5Mc9ugxfhQCzZqDVae0NOBrjWORO_J6Lq7sLoox9HpZrvG1DUtX16db5z_5BUUy9rtA_dqy2etj69-hEYloAVK1rJvoc_MPsVavv7o1nW9dWWh_b546nvCdMh-9gppr00xiQbwIDAQABo2EwXzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHwYDVR0jBBgwFoAUQvSi_0268glJ1fXaPesJy4HXQC0wHQYDVR0OBBYEFCLfsFq2yr6bKEBGWccyADf2bso5MA0GCSqGSIb3DQEBCwUAA4IBAQAqcSQFB0XS5s_NHIBUbDUjiNyvXBEoDCHet5swrZrALkH3bhwCo7NBISSL9E473ApTU7nRJdedyndHBaBTKmLuLVCYhMUXh9GN5In6BCjQa-C8wR2vnazadcyH5nOZMc0nf3nTlk0PmhcK4onReJvW1K_kst-yst9QZypbsqunOnk1JGJeRRsqMNkz1QRi8EWTCVb7eGRfS0KTFWbw5l0B_EThrTjsP7nB79Fvr4WpVa-Gnk71nm4jPG21joHsz7NqrO4MXZJpBAOb3DV4F_z8rOZcbj0P3MlN5pPR3PJLQXex-Bw_27uHs97-Acjl7SZ5Yh0p_1WTgj6Xgj-B7Syt]:
contains {{UTF8String}}.
I do remember that we had such requests for header values and it was hard to
make this better because when to know that the value is not suitable for
printing. Let me check our code.
> Potentially unsafe logging of X500Principal in SSLConnectionSocketFactory
> -------------------------------------------------------------------------
>
> Key: HTTPCLIENT-2337
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2337
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Affects Versions: 4.5.14, 5.3.1, 5.4-beta1
> Reporter: Winfried Gerlach
> Priority: Major
> Fix For: 5.4-beta2
>
> Attachments: example-cert.pem, image-2024-09-03-08-43-06-757.png
>
>
> We noticed that in both Apache HTTP Client 4.x and 5.x,
> {{SSLConnectionSocketFactory}} logs the X500Principal on DEBUG level without
> sanitizing the fields. If, e.g., the CN contains control characters like
> {{\b}} or {{{}\n{}}}, this could be used by an attacker to tamper with the
> log of the application (remove stuff, add line breaks etc.).
> !image-2024-09-03-08-43-06-757.png!
> In the screenshot, the CN has a \b after "Control", so the last letter "l" is
> removed from the log.
> We don't consider this behavior particularly dangerous because it happens on
> debug level only and the logger can also be turned off completely if needed.
> You may still want to think about sanitizing the RDN values before logging or
> somehow avoiding to log the X500Principal completely.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
