Class DefaultHostnameVerifier

  • All Implemented Interfaces:
    javax.net.ssl.HostnameVerifier, CertificateHostnameVerifier

    public class DefaultHostnameVerifier
    extends java.lang.Object
    implements javax.net.ssl.HostnameVerifier, CertificateHostnameVerifier
    Hostname verifier that provides an implementation similar to what occurs with JNDI startTLS. Verification occurs in the following order:
    • if hostname is IP, then cert must have exact match IP subjAltName
    • hostname must match any DNS subjAltName if any exist
    • hostname must match the first CN
    • if cert begins with a wildcard, domains are used for matching
    Author:
    Middleware Services
    • Field Summary

      Fields 
      Modifier and Type Field Description
      protected org.slf4j.Logger logger
      Logger for this class.
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      boolean verify​(java.lang.String hostname, java.security.cert.X509Certificate cert)
      Verify if the hostname is an IP address using LdapUtils.isIPAddress(String).
      boolean verify​(java.lang.String hostname, javax.net.ssl.SSLSession session)  
      protected boolean verifyDNS​(java.lang.String hostname, java.security.cert.X509Certificate cert)
      Verify the certificate allows use of the supplied DNS name.
      protected boolean verifyIP​(java.lang.String ip, java.security.cert.X509Certificate cert)
      Verify the certificate allows use of the supplied IP address.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • logger

        protected final org.slf4j.Logger logger
        Logger for this class.
    • Constructor Detail

      • DefaultHostnameVerifier

        public DefaultHostnameVerifier()
    • Method Detail

      • verify

        public boolean verify​(java.lang.String hostname,
                              javax.net.ssl.SSLSession session)
        Specified by:
        verify in interface javax.net.ssl.HostnameVerifier
      • verifyIP

        protected boolean verifyIP​(java.lang.String ip,
                                   java.security.cert.X509Certificate cert)
        Verify the certificate allows use of the supplied IP address.

        From RFC2818: In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

        Parameters:
        ip - address to match in the certificate
        cert - to inspect for the IP address
        Returns:
        whether the ip matched a subject alt name
      • verifyDNS

        protected boolean verifyDNS​(java.lang.String hostname,
                                    java.security.cert.X509Certificate cert)
        Verify the certificate allows use of the supplied DNS name. Note that only the first CN is used.

        From RFC2818: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

        Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.)

        Parameters:
        hostname - to match in the certificate
        cert - to inspect for the hostname
        Returns:
        whether the hostname matched a subject alt name or CN