Add a factory for HostnameVerifiers
Xuelei Fan
xuelei.fan at oracle.com
Wed Nov 28 14:59:57 UTC 2012
What's the motivation of the proposal?
It's more preferable to use the new X509ExtendedTrustManager and proper
endpoint identification algorithm to do hostname verification. Does the
new endpoint identification approach works for you?
Thanks,
Xuelei
On 11/28/2012 9:55 PM, Florian Weimer wrote:
> The attached patch adds a new class
> javax.net.ssl.HostnameVerifierFactory, along with an SPI class and an
> implementation. This allows TLS clients to perform host name
> verification without referring to the internal HostnameChecker class.
>
> I've updated the existing TLS test case for Kerberos to include host
> name checking, and a new test case for host name verification with
> certificate authentication. It turns out that HostnameChecker does not
> quite implement the algorithm from RFC 2818 (I think only a single
> wildcard per entire name is allowed by the RFC), but that could be
> changed in a separate patch.
>
More information about the security-dev
mailing list