Commit graph

9 commits

Author SHA1 Message Date
Daniel Gultsch c8bd5bc1f5 made OF selfSigned() workaround only available >=kitkat
this undos 8a729061d5. as it turns out 4.1
and 4.0 only break when checking if a cert is self signed.
2017-07-23 07:47:39 +02:00
Daniel Gultsch 8a729061d5 use CN-workaround for pre-kitkat 2017-07-17 23:13:55 +02:00
Daniel Gultsch 217335703c fix regression introduces with OF fix. properly fall back to common name 2017-07-17 21:11:15 +02:00
Daniel Gultsch 8afe7efc2c workaround for OpenFire: check CN first in self signed certs
The self signed certificates created by OpenFire (Not sure if other
certs are affected as well) will crash the Java/Android TLS stack when
accessing getSubjectAlternativeNames() on the the peer certificate.

This usually goes unnoticed in other applications since the
DefaultHostnameVerifier checkes the CN first. That however is a
violation of RFC6125 section 6.4.4 which requires us to check for the
existence of SAN first.

This commit adds a work around where in self signed certificates we
check for the CN first as well. (Avoiding the call to
getSubjectAlternativeNames())
2017-07-16 11:05:25 +02:00
Daniel Gultsch 2ed71df01a also check for hostname in in certs if hostname is from trusted source 2017-06-21 23:40:01 +02:00
Daniel Gultsch c1716a35e3 moved other name parsing into seperate method 2015-10-15 20:05:55 +02:00
Daniel Gultsch fc96dcaa4d use constants for oids in xmppdomainverifier 2015-10-15 19:14:41 +02:00
Daniel Gultsch 5b271e1ed8 more checks for xmppdomainverifier and better wildcard handling 2015-10-15 18:06:26 +02:00
Daniel Gultsch e75c2cd731 use own XmppDomainVerifier instead of deprecated StrictHostnameVerifier. fixes #1189 2015-10-15 17:08:38 +02:00