Bill Janssen wrote:
>Just to explain why I need this: I run services on a laptop that has
>several different names, depending on whether it's on our wireless
>network, connected to a hardwire ethernet, or at home connected via
>our hardware VPN system (where it could potentially have four
>different names, depending on how it's plugged in). But when my Java
>client connects to one of them, using HTTP over SSL, it insists on
>verifying the the service the way RFC 2818 says to (actually, it
>doesn't say to; it's an informational RFC). But, of course, since the
>name of the machine has changed, the cert for the service has changed
>as well. To work around this, the server is notified of network
>changes, and tries to figure out the name of the machine, and pick the
>right cert. To know only the local name, without the FQDN, which
>seems to be the default on a Mac, is useless. But there also doesn't
>seem to be any reliable way to *obtain* the current FQDN on a Mac,
>certainly not from Java. In fact, I gave up trying to figure it out
>from Java; instead, I run a Python script from Java which tries to
>figure it out, and returns the result to Java.
RFC 2818 says:
"If the client has external information as to the expected identity of
the server, the hostname check MAY be omitted. ..."
at paragraph 2 of section 3.1 Server Identity. It sounds to me like you're
doing what you should be doing: using external information. You're just
doing it on the server, so the client doesn't have to do it.
It also seems you should be able to reasonably trust that the server
providing the cert has the corresponding private key, otherwise SSL
wouldn't work, because SSL uses public-key crypto to exchange session keys,
right? So if you trust the cert chain and its CA, and you trust the
private key as uncompromised, then I think you can trust the connection as
having no MITM. If you don't trust the CA, then it doesn't matter that the
FQDN matches.
I'm also wondering whether you're using the JDK 1.4+ endpoint-oriented
networking API, such as the SocketAddress & NetworkInterface classes, and
corresponding methods in Socket and ServerSocket. Because I thought those
allowed for enumeration of multiple network interfaces, and provided the
proper multi-homed name lookups.
-- GG
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden
This email sent to email@hidden
