Package com.unboundid.util.ssl

Class HostNameSSLSocketVerifier

java.lang.Object

com.unboundid.util.ssl.SSLSocketVerifier

com.unboundid.util.ssl.HostNameSSLSocketVerifier

All Implemented Interfaces:

HostnameVerifier

@NotMutable
@ThreadSafety(level=COMPLETELY_THREADSAFE)
public final class HostNameSSLSocketVerifier
extends SSLSocketVerifier
implements HostnameVerifier

This class provides an implementation of an SSLSocket verifier that will verify that the presented server certificate includes the address to which the client intended to establish a connection. It will check the CN attribute of the certificate subject, as well as certain subjectAltName extensions, including dNSName, uniformResourceIdentifier, and iPAddress.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	PROPERTY_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT	The name of a system property that can be used to specify the default behavior that the verifier should exhibit when checking certificates that contain both a CN attribute in the subject DN and a subject alternative name extension that contains one or more dNSName, uniformResourceIdentifier, or iPAddress values.

Constructor Summary

Constructors

Constructor	Description
HostNameSSLSocketVerifier(boolean allowWildcards)	Creates a new instance of this SSLSocket verifier.
HostNameSSLSocketVerifier(boolean allowWildcards, boolean checkCNWhenSubjectAltNameIsPresent)	Creates a new instance of this SSLSocket verifier.

Method Summary

Modifier and Type	Method	Description
boolean	verify(String hostname, SSLSession session)	Verifies that the provided hostname is acceptable for use with the negotiated SSL session.
void	verifySSLSocket(String host, int port, SSLSocket sslSocket)	Verifies that the provided SSLSocket is acceptable and the connection should be allowed to remain established.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

PROPERTY_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT

@NotNull
public static final String PROPERTY_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT

The name of a system property that can be used to specify the default behavior that the verifier should exhibit when checking certificates that contain both a CN attribute in the subject DN and a subject alternative name extension that contains one or more dNSName, uniformResourceIdentifier, or iPAddress values. Although RFC 6125 section 6.4.4 indicates that the CN attribute should not be checked in certificates that have an appropriate subject alternative name extension, LDAP clients historically treat both sources as equally valid.

Constructor Details

HostNameSSLSocketVerifier

public HostNameSSLSocketVerifier(boolean allowWildcards)

Creates a new instance of this SSLSocket verifier.

Parameters:

allowWildcards - Indicates whether to allow wildcard certificates that contain an asterisk in the leftmost component of a hostname in the dNSName or uniformResourceIdentifier of the subject alternative name extension, or in the CN attribute of the subject DN.

HostNameSSLSocketVerifier

public HostNameSSLSocketVerifier(boolean allowWildcards,
 boolean checkCNWhenSubjectAltNameIsPresent)

Creates a new instance of this SSLSocket verifier.

Parameters:

allowWildcards - Indicates whether to allow wildcard certificates that contain an asterisk in the leftmost component of a hostname in the dNSName or uniformResourceIdentifier of the subject alternative name extension, or in the CN attribute of the subject DN.

checkCNWhenSubjectAltNameIsPresent - Indicates whether to check the CN attribute in the peer certificate's subject DN if the certificate also contains a subject alternative name extension that contains at least one dNSName, uniformResourceIdentifier, or iPAddress value. Although RFC 6125 section 6.4.4 indicates that the CN attribute should not be checked in certificates that have an appropriate subject alternative name extension, LDAP clients historically treat both sources as equally valid.

Method Details

verifySSLSocket

public void verifySSLSocket(@NotNull
 String host,
 int port,
 @NotNull
 SSLSocket sslSocket)
                     throws LDAPException

Verifies that the provided SSLSocket is acceptable and the connection should be allowed to remain established.

Specified by:

verifySSLSocket in class SSLSocketVerifier

Parameters:

host - The address to which the client intended the connection to be established.

port - The port to which the client intended the connection to be established.

sslSocket - The SSLSocket that should be verified.

Throws:

LDAPException - If a problem is identified that should prevent the provided SSLSocket from remaining established.

verify

public boolean verify(@NotNull
 String hostname,
 @NotNull
 SSLSession session)

Verifies that the provided hostname is acceptable for use with the negotiated SSL session.

Specified by:

verify in interface HostnameVerifier

Parameters:

hostname - The address to which the client intended the connection to be established.

session - The SSL session that was established.