rschmitt opened a new pull request, #647: URL: https://github.com/apache/httpcomponents-client/pull/647
The use of public suffix matching as part of hostname verification is nonstandard. I can't find anything in the TLS specifications that prescribe or even mention this behavior, having checked: * RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3 * RFC 9110: HTTP Semantics * RFC 9525: Service Identity in TLS There are of course rules for wildcard matching, but ultimately the question of whether to trust a certificate for `*.com` is up to the CAs in your trust store. Given the oddity of the PSL matching behavior and the non-trivial runtime overhead of loading and querying the PSL, I think it makes more sense for the default `HostnameVerifier` to not use this behavior. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org
