New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for #197 -- use a hostname verifier that does hostname verification #510

Merged
merged 3 commits into from Mar 30, 2014

Conversation

Projects
None yet
3 participants
@wsargent
Contributor

wsargent commented Mar 25, 2014

Fix for #197

See http://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/ and http://tersesystems.com/2014/03/23/fixing-hostname-verification/

New certificates created with:

keytool -genkeypair \
   -keystore keystore.jks \
  -dname "CN=OLEKSIYS-W3T, OU=Sun Java System Application Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US" \
  -keypass changeit \
  -storepass changeit \
  -keyalg RSA \
  -keysize 2048 \
  -alias s1as \
  -ext SAN=DNS:localhost,IP:127.0.0.1 \
  -validity 9999

keytool -delete -alias s1as -storepass changeit -keystore ssltest-cacerts.jks
keytool -delete -alias s1as -storepass changeit -keystore ssltest-keystore.jks

keytool -importkeystore \
  -srckeystore keystore.jks \
  -srcstoretype JKS \
  -srcstorepass changeit \
  -deststoretype JKS \
  -deststorepass changeit \
  -destkeystore ssltest-keystore.jks

keytool -importkeystore \
  -srckeystore keystore.jks \
  -srcstoretype JKS \
  -srcstorepass changeit \
  -deststoretype JKS \
  -deststorepass changeit \
  -destkeystore  ssltest-cacerts.jks

To view the new certificate:

keytool -list -v -alias s1as -storepass changeit -keystore  ssltest-cacerts.jks

jfarcand added a commit that referenced this pull request Mar 30, 2014

Merge pull request #510 from wsargent/fix-197
Fix for #197 -- use a hostname verifier that does hostname verification

@jfarcand jfarcand merged commit 3c9152e into AsyncHttpClient:master Mar 30, 2014

@jfarcand

This comment has been minimized.

Contributor

jfarcand commented Mar 30, 2014

Thanks!!!!

@slandelle slandelle added this to the 2.0.0.Alpha1 milestone Mar 30, 2014

@slandelle slandelle modified the milestones: 1.9.0, 2.0.0.Alpha1 Jul 10, 2014

varyvol added a commit to varyvol/async-http-client that referenced this pull request Nov 13, 2018

varyvol added a commit to jenkinsci/lib-async-http-client that referenced this pull request Nov 20, 2018

[JENKINS-54601] Include security fixes from 1.9.40 in 1.7.24.X (#3)
* Change version for jenkins
* [SECURITY-650] Introduce acceptAnyCertificate config, defaulting to false
* Use a hostname verifier that does hostname verification, backport AsyncHttpClient#510, close AsyncHttpClient#197
* Bump netty version
* Restore necessary compatibility
* [JENKINS-54601] Fix test failures.
* [JENKINS-54601] Correct POM info.
* Add script to make it easier to get a working JDK7 environment
* [JENKINS-54601] Include proper hostname verifier logic.
* [JENKINS-54601] Update README.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment