[cas-dev] HttpClient, host name verification and * certificates

Velpi velpi at industria.be
Mon Aug 7 15:26:55 EDT 2006 

Hi

I ran into trouble with the HttpClient today while doing an upgrade from 3.0.4 
to 3.0.5: it seems HttpClient doesn't handler * certificates well :(. CAS didn't 
complain about that in older versions...

http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/StrictSSLProtocolSocketFactory.java?view=markup
"if (hostname.equalsIgnoreCase(cn))" won't work when the name is a "*" of 
course. Although a * certificate isn't the best when it comes to security, but 
it should work.

Any idea whether you can fix this easily without having to turn off the check, 
or should I contact the HttpClient people?
Unfortunately this is a real show-stopper for me :( [I had CAS 3.0.5 and X.509 
with LDAP lookups up&running perfectly... well... almost perfect it seems]


--------------------------------------
18:59:08,299 [ERROR] javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname 
invalid: expected 'webmail4.example.be', received '*.example.be' - 
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler 
[http-444-Processor71; 2006-08-07 18:59:08,299]
javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid: expected 
'webmail4.example.be', received '*.example.be'
         at 
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname(StrictSSLProtocolSocketFactory.java:303)
         at 
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket(StrictSSLProtocolSocketFactory.java:223)
         at 
org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
         at 
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
         at 
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
         at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
         at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
         at 
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler.authenticate(HttpBasedServiceCredentialsAuthenticatio
nHandler.java:77)
         at 
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:79)
         at 
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:194)
         at 
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:159) 

--------------------------------------

-- Velpi

More information about the cas-dev mailing list