Chris Ribble created CXF-6762:
---------------------------------
Summary: DefaultHostnameVerifier fails for non-root wildcard SAN
DNSName entries
Key: CXF-6762
URL: https://issues.apache.org/jira/browse/CXF-6762
Project: CXF
Issue Type: Bug
Components: JAX-RS, Transports
Affects Versions: 3.1.4
Reporter: Chris Ribble
Priority: Minor
DefaultHostnameVerifier, which is used by default by the JAX-RS ClientBuilder
implementation in CXF (and which cannot be overridden without also overriding
the SSLContext, due to CXF-6761) improperly validates the request hostname
against the DNSName values from the SAN section of a certificate when matching
wildcards.
For example, the following works:
Hostname = my.test.com -> DNSName = *.test.com
But the following does not:
Hostname = 1.my.test.com -> DNSName = *.my.test.com
The reason this fails is that the validation code erroneously assumes (in
multiple places) that wildcards only ever exist on the root domain.
The logic should be improved to allow the wildcard to be used to replace 1
domain name component or component fragment (comments in the code indicate that
this is its purpose, but it fails at this).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
