summaryrefslogtreecommitdiffstats
path: root/luni/src/main/java/javax
diff options
context:
space:
mode:
authorAlex Klyubin <klyubin@google.com>2014-09-17 10:54:21 -0700
committerAlex Klyubin <klyubin@google.com>2014-09-17 11:10:52 -0700
commit9be69a95272f93d7daa19053c61fae7c3d8ff30d (patch)
tree99369bbae9146e20a8060f47c2023a6d016c9906 /luni/src/main/java/javax
parent737ea55f0a003a07b90f88338da12b11b7d2859a (diff)
downloadlibcore-9be69a95272f93d7daa19053c61fae7c3d8ff30d.zip
libcore-9be69a95272f93d7daa19053c61fae7c3d8ff30d.tar.gz
libcore-9be69a95272f93d7daa19053c61fae7c3d8ff30d.tar.bz2
Enable hostname verification for absolute hostnames.
This makes the DefaultHostnameVerifier (the platform default HostnameVerifier) match relative hostname patterns from CN and DNS SubjectAltNames fields of TLS/SSL server certificates against absolute hostnames. Absolute hostname patterns will still never match relative hostnames because it is not known to what absolute name a relative name was resolved by DNS. For example, if hostname is "www.android.com." and server certificate is for "www.android.com", hostname verification will now pass. Whereas, if hostname is "www.android.com" and server certificate is for "www.android.com.", hostname verification will still fail. All of this is needed because server certificates do not normally contain absolute hostnames or hostname patterns. At the same time, connections via absolute hostnames should be supported and even preferred in most cases, to avoid DNS search suffixes being added. Bug: 17482685 Change-Id: I3f2006fa1110004b18ce627675334d2a54805c7a
Diffstat (limited to 'luni/src/main/java/javax')
-rw-r--r--luni/src/main/java/javax/net/ssl/DefaultHostnameVerifier.java8
1 files changed, 8 insertions, 0 deletions
diff --git a/luni/src/main/java/javax/net/ssl/DefaultHostnameVerifier.java b/luni/src/main/java/javax/net/ssl/DefaultHostnameVerifier.java
index 65c8b03..d6e2383 100644
--- a/luni/src/main/java/javax/net/ssl/DefaultHostnameVerifier.java
+++ b/luni/src/main/java/javax/net/ssl/DefaultHostnameVerifier.java
@@ -131,6 +131,14 @@ public final class DefaultHostnameVerifier implements HostnameVerifier {
return false;
}
+ if (hostName.endsWith(".") && !cn.endsWith(".")) {
+ // "www.android.com." matches "www.android.com"
+ // This is needed because server certificates do not normally contain absolute names
+ // or patterns. Connections via absolute hostnames should be supported and even
+ // preferred over those via relative hostnames, to avoid DNS suffixes being appended.
+ cn += '.';
+ }
+
cn = cn.toLowerCase(Locale.US);
if (!cn.contains("*")) {