HTTPCLIENT-1051: Default X509 hostname verifier rejects certificates with an IP address as CN
git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1078788 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
86369c1696
commit
77ee7287d0
|
@ -33,6 +33,9 @@ import org.apache.http.conn.util.InetAddressUtils;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.InputStream;
|
import java.io.InputStream;
|
||||||
|
import java.net.Inet4Address;
|
||||||
|
import java.net.InetAddress;
|
||||||
|
import java.net.UnknownHostException;
|
||||||
import java.security.cert.Certificate;
|
import java.security.cert.Certificate;
|
||||||
import java.security.cert.CertificateParsingException;
|
import java.security.cert.CertificateParsingException;
|
||||||
import java.security.cert.X509Certificate;
|
import java.security.cert.X509Certificate;
|
||||||
|
@ -194,6 +197,20 @@ public abstract class AbstractVerifier implements X509HostnameVerifier {
|
||||||
buf.append(" OR");
|
buf.append(" OR");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Work-around for certificates that have an IPv4 address for a CN
|
||||||
|
if (InetAddressUtils.isIPv4Address(cn)) {
|
||||||
|
try {
|
||||||
|
InetAddress[] addresses = Inet4Address.getAllByName(hostName);
|
||||||
|
for (InetAddress address: addresses) {
|
||||||
|
if (cn.equals(address.getHostAddress())) {
|
||||||
|
match = true;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (UnknownHostException ignore) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// The CN better have at least two dots if it wants wildcard
|
// The CN better have at least two dots if it wants wildcard
|
||||||
// action. It also can't be [*.co.uk] or [*.co.jp] or
|
// action. It also can't be [*.co.uk] or [*.co.jp] or
|
||||||
// [*.org.uk], etc...
|
// [*.org.uk], etc...
|
||||||
|
|
Loading…
Reference in New Issue