From 77ee7287d04f0a538f9f018f42764ef3b0c1de0f Mon Sep 17 00:00:00 2001 From: Oleg Kalnichevski Date: Mon, 7 Mar 2011 14:46:02 +0000 Subject: [PATCH] HTTPCLIENT-1051: Default X509 hostname verifier rejects certificates with an IP address as CN git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1078788 13f79535-47bb-0310-9956-ffa450edef68 --- .../apache/http/conn/ssl/AbstractVerifier.java | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java index 547204a4e..350a5dd6a 100644 --- a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java +++ b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java @@ -33,6 +33,9 @@ import org.apache.http.conn.util.InetAddressUtils; import java.io.IOException; import java.io.InputStream; +import java.net.Inet4Address; +import java.net.InetAddress; +import java.net.UnknownHostException; import java.security.cert.Certificate; import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; @@ -194,6 +197,20 @@ public abstract class AbstractVerifier implements X509HostnameVerifier { buf.append(" OR"); } + // Work-around for certificates that have an IPv4 address for a CN + if (InetAddressUtils.isIPv4Address(cn)) { + try { + InetAddress[] addresses = Inet4Address.getAllByName(hostName); + for (InetAddress address: addresses) { + if (cn.equals(address.getHostAddress())) { + match = true; + break; + } + } + } catch (UnknownHostException ignore) { + } + } + // The CN better have at least two dots if it wants wildcard // action. It also can't be [*.co.uk] or [*.co.jp] or // [*.org.uk], etc...