HTTPCLIENT-1051: Default X509 hostname verifier rejects certificates with an IP address as CN

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1078788 13f79535-47bb-0310-9956-ffa450edef68
2011-03-07 14:46:02 +00:00 · 2011-03-07 14:46:02 +00:00 · 77ee7287d0
parent 86369c1696
commit 77ee7287d0
1 changed files with 17 additions and 0 deletions
--- a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
+++ b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
@ -33,6 +33,9 @@ import org.apache.http.conn.util.InetAddressUtils;

 import java.io.IOException;
 import java.io.InputStream;
+import java.net.Inet4Address;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
@ -194,6 +197,20 @@ public abstract class AbstractVerifier implements X509HostnameVerifier {
                buf.append(" OR");
            }

+            // Work-around for certificates that have an IPv4 address for a CN
+            if (InetAddressUtils.isIPv4Address(cn)) {
+                try {
+                    InetAddress[] addresses = Inet4Address.getAllByName(hostName);
+                    for (InetAddress address: addresses) {
+                        if (cn.equals(address.getHostAddress())) {
+                            match = true;
+                            break;
+                        }
+                    }
+                } catch (UnknownHostException ignore) {
+                }
+            }
+
            // The CN better have at least two dots if it wants wildcard
            // action.  It also can't be [*.co.uk] or [*.co.jp] or
            // [*.org.uk], etc...