Commit graph

6 commits

Author SHA1 Message Date
Daniel Gultsch 8afe7efc2c workaround for OpenFire: check CN first in self signed certs
The self signed certificates created by OpenFire (Not sure if other
certs are affected as well) will crash the Java/Android TLS stack when
accessing getSubjectAlternativeNames() on the the peer certificate.

This usually goes unnoticed in other applications since the
DefaultHostnameVerifier checkes the CN first. That however is a
violation of RFC6125 section 6.4.4 which requires us to check for the
existence of SAN first.

This commit adds a work around where in self signed certificates we
check for the CN first as well. (Avoiding the call to
getSubjectAlternativeNames())
2017-07-16 11:05:25 +02:00
Daniel Gultsch 2ed71df01a also check for hostname in in certs if hostname is from trusted source 2017-06-21 23:40:01 +02:00
Daniel Gultsch c1716a35e3 moved other name parsing into seperate method 2015-10-15 20:05:55 +02:00
Daniel Gultsch fc96dcaa4d use constants for oids in xmppdomainverifier 2015-10-15 19:14:41 +02:00
Daniel Gultsch 5b271e1ed8 more checks for xmppdomainverifier and better wildcard handling 2015-10-15 18:06:26 +02:00
Daniel Gultsch e75c2cd731 use own XmppDomainVerifier instead of deprecated StrictHostnameVerifier. fixes #1189 2015-10-15 17:08:38 +02:00