HTTPCLIENT-2047: fixed regression in DefaultHostnameVerifier #203
Conversation
This change ensures that during hostname verification the public suffix list is only used to prevent wildcard matching against entire TLDs (e.g. `*.com`). Currently, private domains are also being matched against, which is preventing reasonable wildcards (such as `*.s3.eu-central-1.amazonaws.com`) from being respected.
| publicSuffixMatcher); | ||
| DefaultHostnameVerifier.matchDNSName( | ||
| "hostname-workspace-1.ops.domain.local", | ||
| Collections.singletonList(SubjectName.DNS("hostname-workspace-1.ops.domain.local")), |
There was a problem hiding this comment.
Call me stupid, but this list does not include the .local domain and according to RFC 6762, section 3 this hostname is invalid. only a single DNS label is allowed in the .local domain.
There was a problem hiding this comment.
@michael-o I am not sure I understand your objection. The domain name in question might well be invalid but the matching logic should still work, should not it?
There was a problem hiding this comment.
I agree that the matching logic should work, but I don't think we should use something forbidden in our tests. hostname-workspace-1-ops.local should do, shouldn't it for the tests?
There was a problem hiding this comment.
@michael-o Sure. That I can do.
…rejection of certs with non-standard domains. This reverts commit e0416f0
|
I see this is targeted for 4.5.12--is there a release in process for that version yet? If there is anything I can do to help please let me know. |
|
@l3ender I will try to get around to next week. |
Since apache/httpcomponents-client#203 httpclient handles private suffix rules differently. This change updates RegisteredDomainProcessorTests to reflect those new rules
No description provided.