[cryptography] "best practices" for hostname validation when using JSSE

Kevin W. Wall kevin.w.wall at gmail.com
Sat Aug 10 02:09:21 EDT 2013

On Fri, Aug 9, 2013 at 3:03 PM, Patrick Pelletier
<code at funwithsoftware.org> wrote:
> One thing mentioned in the "Most Dangerous Code in the World" paper (and
> I've verified experimentally) is that JSSE doesn't validate the hostname
> against the X.509 certificate, so if one uses JSSE naively, one is open to
> man-in-the-middle attacks.  The best solution I've been able to figure out
> is to "borrow" the hostname validation code from Apache HttpComponents.  But
> I'm curious what other people who use JSSE are doing, and if there's a "best
> practice" for doing this.
> Apologies if this isn't on-topic for this list; I know you guys mostly
> discuss higher-level issues, rather than APIs.  I already tried asking on
> Stack Overflow, and they said it was off-topic for Stack Overflow:
> http://stackoverflow.com/questions/18139448/how-should-i-do-hostname-validation-when-using-jsse

I recall using HttpsUrlConnection and that it supported hostname verification.
I know you said you are not using HTTPS, but somewhere under the hood,
HttpsUrlConnection, is still handling the SSL connection and retrieving
the certificate and checking the server-side cert for a match to subjectDN or
subjectAlternateName attributes.

I haven't studied this yet (and may not have time to do so in the near future),
but I figure that this analysis of HttpsUrlConnection might help. Check out:

If you just search for HostnameVerifier on that page, it should lead you in
the right direction.  If you have a specific question about the code, ping
me off-list and I'll see if I can answer.

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the cryptography mailing list