Apache
/
httpcomponents-client
mirror of https://github.com/apache/httpcomponents-client.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

HTTPCLIENT-1698: Fixed matching of IPv6 addresses by DefaultHostnameVerifier 

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1716971 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Oleg Kalnichevski 2015-11-28 13:25:27 +00:00
parent 3297b7a9f3
commit df4e36c3fb
1 changed files with 24 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java
View File

@ -64,6 +64,8 @@ import org.apache.http.conn.util.PublicSuffixMatcher;
@Immutable @Immutable
public final class DefaultHostnameVerifier implements HostnameVerifier { public final class DefaultHostnameVerifier implements HostnameVerifier {
enum TYPE { IPv4, IPv6, DNS };
final static int DNS_NAME_TYPE = 2; final static int DNS_NAME_TYPE = 2;
final static int IP_ADDRESS_TYPE = 7; final static int IP_ADDRESS_TYPE = 7;
@ -96,17 +98,30 @@ public final class DefaultHostnameVerifier implements HostnameVerifier {
public void verify( public void verify(
final String host, final X509Certificate cert) throws SSLException { final String host, final X509Certificate cert) throws SSLException {
final boolean ipv4 = InetAddressUtils.isIPv4Address(host); TYPE hostFormat = TYPE.DNS;
final boolean ipv6 = InetAddressUtils.isIPv6Address(host); if (InetAddressUtils.isIPv4Address(host)) {
final int subjectType = ipv4 || ipv6 ? IP_ADDRESS_TYPE : DNS_NAME_TYPE; hostFormat = TYPE.IPv4;
} else {
String s = host;
if (s.startsWith("[") && s.endsWith("]")) {
s = host.substring(1, host.length() - 1);
}
if (InetAddressUtils.isIPv6Address(s)) {
hostFormat = TYPE.IPv6;
}
}
final int subjectType = hostFormat == TYPE.IPv4 || hostFormat == TYPE.IPv6 ? IP_ADDRESS_TYPE : DNS_NAME_TYPE;
final List<String> subjectAlts = extractSubjectAlts(cert, subjectType); final List<String> subjectAlts = extractSubjectAlts(cert, subjectType);
if (subjectAlts != null && !subjectAlts.isEmpty()) { if (subjectAlts != null && !subjectAlts.isEmpty()) {
if (ipv4) { switch (hostFormat) {
matchIPAddress(host, subjectAlts); case IPv4:
} else if (ipv6) { matchIPAddress(host, subjectAlts);
matchIPv6Address(host, subjectAlts); break;
} else { case IPv6:
matchDNSName(host, subjectAlts, this.publicSuffixMatcher); matchIPv6Address(host, subjectAlts);
break;
default:
matchDNSName(host, subjectAlts, this.publicSuffixMatcher);
} }
} else { } else {
// CN matching has been deprecated by rfc2818 and can be used // CN matching has been deprecated by rfc2818 and can be used