modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/nhttp/HostnameVerifier.java [352:440]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - public void check(final String[] hosts, final String[] cns, final String[] subjectAlts, final boolean ie6, final boolean strictWithSubDomains) throws SSLException { // Build up lists of allowed hosts For logging/debugging purposes. StringBuffer buf = new StringBuffer(32); buf.append('<'); for (int i = 0; i < hosts.length; i++) { String h = hosts[i]; h = h != null ? h.trim().toLowerCase() : ""; hosts[i] = h; if (i > 0) { buf.append('/'); } buf.append(h); } buf.append('>'); String hostnames = buf.toString(); // Build the list of names we're going to check. Our DEFAULT and // STRICT implementations of the HostnameVerifier only use the // first CN provided. All other CNs are ignored. // (Firefox, wget, curl, Sun Java 1.4, 5, 6 all work this way). TreeSet names = new TreeSet(); if (cns != null && cns.length > 0 && cns[0] != null) { names.add(cns[0]); if (ie6) { for (int i = 1; i < cns.length; i++) { names.add(cns[i]); } } } if (subjectAlts != null) { for (int i = 0; i < subjectAlts.length; i++) { if (subjectAlts[i] != null) { names.add(subjectAlts[i]); } } } if (names.isEmpty()) { String msg = "Certificate for " + hosts[0] + " doesn't contain CN or DNS subjectAlt"; throw new SSLException(msg); } // StringBuffer for building the error message. buf = new StringBuffer(); boolean match = false; out: for (Iterator it = names.iterator(); it.hasNext();) { // Don't trim the CN, though! String cn = (String) it.next(); cn = cn.toLowerCase(); // Store CN in StringBuffer in case we need to report an error. buf.append(" <"); buf.append(cn); buf.append('>'); if (it.hasNext()) { buf.append(" OR"); } // The CN better have at least two dots if it wants wildcard // action. It also can't be [*.co.uk] or [*.co.jp] or // [*.org.uk], etc... boolean doWildcard = cn.startsWith("*.") && cn.lastIndexOf('.') >= 0 && !isIP4Address(cn) && acceptableCountryWildcard(cn); for (int i = 0; i < hosts.length; i++) { final String hostName = hosts[i].trim().toLowerCase(); if (doWildcard) { match = hostName.endsWith(cn.substring(1)); if (match && strictWithSubDomains) { // If we're in strict mode, then [*.foo.com] is not // allowed to match [a.b.foo.com] match = countDots(hostName) == countDots(cn); } } else { match = hostName.equals(cn); } if (match) { break out; } } } if (!match) { throw new SSLException("hostname in certificate didn't match: " + hostnames + " !=" + buf); } } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/passthru/HostnameVerifier.java [354:442]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - public void check(final String[] hosts, final String[] cns, final String[] subjectAlts, final boolean ie6, final boolean strictWithSubDomains) throws SSLException { // Build up lists of allowed hosts For logging/debugging purposes. StringBuffer buf = new StringBuffer(32); buf.append('<'); for (int i = 0; i < hosts.length; i++) { String h = hosts[i]; h = h != null ? h.trim().toLowerCase() : ""; hosts[i] = h; if (i > 0) { buf.append('/'); } buf.append(h); } buf.append('>'); String hostnames = buf.toString(); // Build the list of names we're going to check. Our DEFAULT and // STRICT implementations of the HostnameVerifier only use the // first CN provided. All other CNs are ignored. // (Firefox, wget, curl, Sun Java 1.4, 5, 6 all work this way). TreeSet names = new TreeSet(); if (cns != null && cns.length > 0 && cns[0] != null) { names.add(cns[0]); if (ie6) { for (int i = 1; i < cns.length; i++) { names.add(cns[i]); } } } if (subjectAlts != null) { for (int i = 0; i < subjectAlts.length; i++) { if (subjectAlts[i] != null) { names.add(subjectAlts[i]); } } } if (names.isEmpty()) { String msg = "Certificate for " + hosts[0] + " doesn't contain CN or DNS subjectAlt"; throw new SSLException(msg); } // StringBuffer for building the error message. buf = new StringBuffer(); boolean match = false; out: for (Iterator it = names.iterator(); it.hasNext();) { // Don't trim the CN, though! String cn = (String) it.next(); cn = cn.toLowerCase(); // Store CN in StringBuffer in case we need to report an error. buf.append(" <"); buf.append(cn); buf.append('>'); if (it.hasNext()) { buf.append(" OR"); } // The CN better have at least two dots if it wants wildcard // action. It also can't be [*.co.uk] or [*.co.jp] or // [*.org.uk], etc... boolean doWildcard = cn.startsWith("*.") && cn.lastIndexOf('.') >= 0 && !isIP4Address(cn) && acceptableCountryWildcard(cn); for (int i = 0; i < hosts.length; i++) { final String hostName = hosts[i].trim().toLowerCase(); if (doWildcard) { match = hostName.endsWith(cn.substring(1)); if (match && strictWithSubDomains) { // If we're in strict mode, then [*.foo.com] is not // allowed to match [a.b.foo.com] match = countDots(hostName) == countDots(cn); } } else { match = hostName.equals(cn); } if (match) { break out; } } } if (!match) { throw new SSLException("hostname in certificate didn't match: " + hostnames + " !=" + buf); } } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -