org.ldaptive.ssl
Class DefaultHostnameVerifier

java.lang.Object
  org.ldaptive.ssl.DefaultHostnameVerifier

All Implemented Interfaces:

HostnameVerifier, CertificateHostnameVerifier

public class DefaultHostnameVerifier
extends Object
implements HostnameVerifier, CertificateHostnameVerifier

Hostname verifier that provides an implementation similar to what occurs with JNDI startTLS. Verification occurs in the following order:

• if hostname is IP, then cert must have exact match IP subjAltName
• hostname must match any DNS subjAltName if any exist
• hostname must match the first CN
• if cert begins with a wildcard, domains are used for matching

Version:

$Revision: 3243 $ $Date: 2017-09-11 21:58:31 -0400 (Mon, 11 Sep 2017) $

Author:

Middleware Services

Nested Class Summary

static class

DefaultHostnameVerifier.SSLSocketFactory Socket factory that uses DefaultHostnameVerifier.

Field Summary

protected org.slf4j.Logger

logger Logger for this class.

Constructor Summary

DefaultHostnameVerifier()

Method Summary

boolean	verify(String hostname, SSLSession session)
boolean	verify(String hostname, X509Certificate cert) Verify if the hostname is an IP address using LdapUtils.isIPAddress(String).
protected boolean	verifyDNS(String hostname, X509Certificate cert) Verify the certificate allows use of the supplied DNS name.
protected boolean	verifyIP(String ip, X509Certificate cert) Verify the certificate allows use of the supplied IP address.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

protected final org.slf4j.Logger logger

Logger for this class.

Constructor Detail

DefaultHostnameVerifier

public DefaultHostnameVerifier()

Method Detail

verify

public boolean verify(String hostname,
                      SSLSession session)

Specified by:

verify in interface HostnameVerifier

verify

public boolean verify(String hostname,
                      X509Certificate cert)

Verify if the hostname is an IP address using LdapUtils.isIPAddress(String). Delegates to verifyIP(String, X509Certificate) and verifyDNS(String, X509Certificate) accordingly.

Specified by:

verify in interface CertificateHostnameVerifier

Parameters:

hostname - to verify

cert - to verify hostname against

Returns:

whether hostname is valid for the supplied certificate

verifyIP

protected boolean verifyIP(String ip,
                           X509Certificate cert)

Verify the certificate allows use of the supplied IP address.

From RFC2818: In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

Parameters:

ip - address to match in the certificate

cert - to inspect for the IP address

Returns:

whether the ip matched a subject alt name

verifyDNS

protected boolean verifyDNS(String hostname,
                            X509Certificate cert)

Verify the certificate allows use of the supplied DNS name. Note that only the first CN is used.

From RFC2818: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.)

Parameters:

hostname - to match in the certificate

cert - to inspect for the hostname

Returns:

whether the hostname matched a subject alt name or CN