- DefaultAndLocalHost
- Strict
- AllowAll
DefaultAndLocalHost
If the "HostnameVerifier" value is set to "DefaultAndLocalHost", then the SSL handshake will be successful only if one of the following is satisfied.
- The hostname must match either the first CN, or any of the subject-alts of the server certificate (same way as Curl and Firefox). A wildcard can occur in the CN, and in any of the subject-alts. The only difference between DEFAULT and STRICT is that a wildcard (such as "*.foo.com") with DEFAULT matches all subdomains, including "a.b.foo.com".
- A host of "localhost", "localhost.localdomain", "127.0.0.1", "::1" will always pass, no matter what is in the server's certificate.
Strict
If the "HostnameVerifier" value is set to "Strict", then the SSL handshake will be successful when the following criteria is met.
The hostname must match either the first CN, or any of the subject-alts of the server certificate. A wildcard can occur in the CN, and in any of the subject-alts. This will only check the first CN of the certificate similar to Sun Java 1.4. A wildcard such as "*.foo.com" matches only subdomains in the same level, for example "a.foo.com". It does not match deeper subdomains such as "a.b.foo.com".
This works the same way as java.net.URL in Sun Java 1.4, Sun Java 5, Sun Java 6. This implementation appears to be compliant with RFC 2818 for dealing with wildcards.
This functionality is also very close to IE6. The one divergence from IE6 is how it only check the first CN. IE6 allows a match against any of the CNs present.
AllowAll
Setting "HostnameVerifier" to "AllowAll" turns hostname verification off. This implementation is a no-op, and never throws the SSLException.
No comments:
Post a Comment