our hostname verifier is resistant to \00 (null) after wildcard
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
our hostname verifier is resistant to \00 (null) after wildcard
by juliusdavies
::
Rate this Message:
Hi, HttpComponents, and Not-Yet-Commons-SSL,
I saw an interesting link on Justin Mason's weblog (via Planet Apache): http://taint.org/2009/11/12/230503a.html Eventually you find this link: [Noisebridge-discuss] Merry Certmas! CN=*\x00thoughtcrime.noisebridge.net https://www.noisebridge.net/pipermail/noisebridge-discuss/2009-September/008400.html Just thought I'd let people know that our Hostname Verifier is resistant to this. I think the resistance is coming from the way Java builds the string, because here is the warning I got when I tried to use the cert: javax.net.ssl.SSLException: hostname in certificate didn't match: <localhost> != <*thoughtcrime.noisebridge.net> at org.apache.commons.ssl.HostnameVerifier$AbstractVerifier.check(HostnameVerifier.java:415) But even if Java didn't build the String that way, I think we'd still be resistant, because if I remember correctly, the HttpClient / Not-Yet-Commons-SSL Hostname verifier insists on their being at least two dots (e.g. *.a.com) in a wildcard cert. A feather in my cap! :-) -- yours, Julius Davies 250-592-2284 (Home) 250-893-4579 (Mobile) http://juliusdavies.ca/logging.html --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@... For additional commands, e-mail: dev-help@... |
|
|
Re: our hostname verifier is resistant to \00 (null) after wildcard
by Ortwin Glück
::
Rate this Message:
Julius,
Thanks for testing it. It'd be nice to have a test case for this kind of forged certificates in the JUnit test suite, actually. Would you be willing to create one? Funny enough, I was pretty sure that no Java application would ever be affected by this bug. Because \0 is an ordinary character in Java, and not a string terminator. Thanks. Ortwin Julius Davies wrote: > Hi, HttpComponents, and Not-Yet-Commons-SSL, > > > I saw an interesting link on Justin Mason's weblog (via Planet Apache): > > http://taint.org/2009/11/12/230503a.html > > Eventually you find this link: > > [Noisebridge-discuss] Merry Certmas! CN=*\x00thoughtcrime.noisebridge.net > > https://www.noisebridge.net/pipermail/noisebridge-discuss/2009-September/008400.html > > > > Just thought I'd let people know that our Hostname Verifier is > resistant to this. I think the resistance is coming from the way Java > builds the string, because here is the warning I got when I tried to > use the cert: > > > javax.net.ssl.SSLException: > hostname in certificate didn't match: <localhost> != > <*thoughtcrime.noisebridge.net> > at org.apache.commons.ssl.HostnameVerifier$AbstractVerifier.check(HostnameVerifier.java:415) > > > But even if Java didn't build the String that way, I think we'd still > be resistant, because if I remember correctly, the HttpClient / > Not-Yet-Commons-SSL Hostname verifier insists on their being at least > two dots (e.g. *.a.com) in a wildcard cert. > > > A feather in my cap! :-) > > -- [web] http://www.odi.ch/ [blog] http://www.odi.ch/weblog/ [pgp] key 0x81CF3416 finger print F2B1 B21F F056 D53E 5D79 A5AF 02BE 70F5 81CF 3416 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@... For additional commands, e-mail: dev-help@... |
| Free embeddable forum powered by Nabble | Forum Help |
