[cryptography] "best practices" for hostname validation when using JSSE
Kevin W. Wall
kevin.w.wall at gmail.com
Sat Aug 10 02:09:21 EDT 2013
On Fri, Aug 9, 2013 at 3:03 PM, Patrick Pelletier
<code at funwithsoftware.org> wrote:
> One thing mentioned in the "Most Dangerous Code in the World" paper (and
> I've verified experimentally) is that JSSE doesn't validate the hostname
> against the X.509 certificate, so if one uses JSSE naively, one is open to
> man-in-the-middle attacks. The best solution I've been able to figure out
> is to "borrow" the hostname validation code from Apache HttpComponents. But
> I'm curious what other people who use JSSE are doing, and if there's a "best
> practice" for doing this.
> Apologies if this isn't on-topic for this list; I know you guys mostly
> discuss higher-level issues, rather than APIs. I already tried asking on
> Stack Overflow, and they said it was off-topic for Stack Overflow:
I recall using HttpsUrlConnection and that it supported hostname verification.
I know you said you are not using HTTPS, but somewhere under the hood,
HttpsUrlConnection, is still handling the SSL connection and retrieving
the certificate and checking the server-side cert for a match to subjectDN or
I haven't studied this yet (and may not have time to do so in the near future),
but I figure that this analysis of HttpsUrlConnection might help. Check out:
If you just search for HostnameVerifier on that page, it should lead you in
the right direction. If you have a specific question about the code, ping
me off-list and I'll see if I can answer.
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents." -- Nathaniel Borenstein
More information about the cryptography