[cryptography] "best practices" for hostname validation when using JSSE

Peter Saint-Andre stpeter at stpeter.im
Sat Aug 10 19:47:59 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/10/13 12:09 AM, Kevin W. Wall wrote:
> On Fri, Aug 9, 2013 at 3:03 PM, Patrick Pelletier 
> <code at funwithsoftware.org> wrote:
>> One thing mentioned in the "Most Dangerous Code in the World"
>> paper (and I've verified experimentally) is that JSSE doesn't
>> validate the hostname against the X.509 certificate, so if one
>> uses JSSE naively, one is open to man-in-the-middle attacks.  The
>> best solution I've been able to figure out is to "borrow" the
>> hostname validation code from Apache HttpComponents.  But I'm
>> curious what other people who use JSSE are doing, and if there's
>> a "best practice" for doing this.
>> 
>> Apologies if this isn't on-topic for this list; I know you guys
>> mostly discuss higher-level issues, rather than APIs.  I already
>> tried asking on Stack Overflow, and they said it was off-topic
>> for Stack Overflow:
>> 
>> http://stackoverflow.com/questions/18139448/how-should-i-do-hostname-validation-when-using-jsse
>
>> 
> I recall using HttpsUrlConnection and that it supported hostname
> verification. I know you said you are not using HTTPS, but
> somewhere under the hood, HttpsUrlConnection, is still handling the
> SSL connection and retrieving the certificate and checking the
> server-side cert for a match to subjectDN or subjectAlternateName
> attributes.

RFC 6125 might be of interest:

https://datatracker.ietf.org/doc/rfc6125/

There's more than hostname checking involved, of course (RFC 5280
integrity checks, CRL/OCSP, etc.).

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSBtEvAAoJEOoGpJErxa2pXqYP/jATSxlkG6+afGbb5WninvnT
dMnk/S+gTTcgnB/iEiqDPiNt3tWpKOTEbe94ZZNixJogAC9sH7mLHzTBzZe7iehE
NtlXIlUREQE/8jjPtctjUZYUsjCRmG+61AVTE28eollkfR7aYGDqwqieXiqNcacw
kBhMWv6peW9ea7fAvqSqtJaMBSFhg7J7Fx8gti6mwdvJCELs0AN8WIIRmpXD5K6q
U8yKn17+HC+BAVXwbhvNxsK9X+MdgwRLRJTnSGDsuK3x8dc66rJ6Gpo6OMm6oGC6
Gzm9hHNv8E2OQWM4ae+vdXAsDed3iWPUi7nZ6nEqmbYary//Vlodk4FPZDS4xuZD
X8v5d+T/7bHPM5LYJ0clMNlCiN2YJc9DWQeUweoFzIMz1Pl+f3Rp0i8abU4+hxd5
PT9ENxy/Ke6duglWFw5XMZJFNqVJ/1Sa9jWe9s7ATobfzp1chsOpK6uP/309S07P
yVQ2zOUsowbAlPS8iH5lAxXudgZOSyeqYFvh7PVMJdzbZhcz1jWB0c7vCijmPA0a
cS5/btVuahV9s9WUx3GwnsRfqPYgXt+hYZyoZgcsZ9ZETmRHv2whn5X/CxbjII65
Tyi/uGmr9ewvc0I2F/eYc8gS+43i45JowtLnASyPYgnNWX9HrN0G7Q85VWbfK7hF
RZZQvnPrXuJwdqRZ3q5J
=BRJT
-----END PGP SIGNATURE-----


More information about the cryptography mailing list