[cas-dev] HttpClient, host name verification and * certificates

[Velpi]

> Before we do that though, is anyone familiar with the security 
> ramifications of allowing * certificates?

The main issue is every machine that has the * certificate also has the matching 
private key. In that case the truth of the identity (and encryption if you want 
to go deep) is only as good as the combined security of *all* those machines 
(and their admins). That's actually the reason why we're trying to get rid of 
all * certificates, but we're stuck with them for at least a while... if we even 
ever entirely get rid of them.
Note that * certificates are only valid for one level in DNS, so *.example.be is 
not ok for x.y.example.be

People like to use it in a name based virtualhost environment because you can't 
put more than one certificate on one IP+port combination. Also it's usually 
cheaper and sometimes it is needed for technical reasons.
It's a little like smelly cheese: learn to live with the smell or don't eat it.


I just (as in 5 minutes ago) got note from the admin of the machines that cause 
the problem. I gave him two options: make us wait with the upgrade until there's 
a fix or install individual certificates. He chose to install individual 
certificates without hesitating so the alert is down to orange for me ;).

a * certificate is definitely not the best, but one should be able to choose for 
some flexibility over superStrict. Besides, every browser supports * 
certificates by default. In my opinion HttpClient should support it out of the 
box (it doesn't seem that hard to implement when I look at the code, even to 
make it optional).


-- Velpi