diff options
author | Alex Klyubin <klyubin@google.com> | 2014-09-17 10:54:21 -0700 |
---|---|---|
committer | Alex Klyubin <klyubin@google.com> | 2014-09-17 11:10:52 -0700 |
commit | 9be69a95272f93d7daa19053c61fae7c3d8ff30d (patch) | |
tree | 99369bbae9146e20a8060f47c2023a6d016c9906 /luni/src/main/java/javax | |
parent | 737ea55f0a003a07b90f88338da12b11b7d2859a (diff) | |
download | libcore-9be69a95272f93d7daa19053c61fae7c3d8ff30d.zip libcore-9be69a95272f93d7daa19053c61fae7c3d8ff30d.tar.gz libcore-9be69a95272f93d7daa19053c61fae7c3d8ff30d.tar.bz2 |
Enable hostname verification for absolute hostnames.
This makes the DefaultHostnameVerifier (the platform default
HostnameVerifier) match relative hostname patterns from CN and DNS
SubjectAltNames fields of TLS/SSL server certificates against
absolute hostnames. Absolute hostname patterns will still never match
relative hostnames because it is not known to what absolute name a
relative name was resolved by DNS.
For example, if hostname is "www.android.com." and server certificate
is for "www.android.com", hostname verification will now pass.
Whereas, if hostname is "www.android.com" and server certificate is
for "www.android.com.", hostname verification will still fail.
All of this is needed because server certificates do not normally
contain absolute hostnames or hostname patterns. At the same time,
connections via absolute hostnames should be supported and even
preferred in most cases, to avoid DNS search suffixes being added.
Bug: 17482685
Change-Id: I3f2006fa1110004b18ce627675334d2a54805c7a
Diffstat (limited to 'luni/src/main/java/javax')
-rw-r--r-- | luni/src/main/java/javax/net/ssl/DefaultHostnameVerifier.java | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/luni/src/main/java/javax/net/ssl/DefaultHostnameVerifier.java b/luni/src/main/java/javax/net/ssl/DefaultHostnameVerifier.java index 65c8b03..d6e2383 100644 --- a/luni/src/main/java/javax/net/ssl/DefaultHostnameVerifier.java +++ b/luni/src/main/java/javax/net/ssl/DefaultHostnameVerifier.java @@ -131,6 +131,14 @@ public final class DefaultHostnameVerifier implements HostnameVerifier { return false; } + if (hostName.endsWith(".") && !cn.endsWith(".")) { + // "www.android.com." matches "www.android.com" + // This is needed because server certificates do not normally contain absolute names + // or patterns. Connections via absolute hostnames should be supported and even + // preferred over those via relative hostnames, to avoid DNS suffixes being appended. + cn += '.'; + } + cn = cn.toLowerCase(Locale.US); if (!cn.contains("*")) { |