Package com.unboundid.util.ssl
Class HostNameSSLSocketVerifier
- java.lang.Object
-
- com.unboundid.util.ssl.SSLSocketVerifier
-
- com.unboundid.util.ssl.HostNameSSLSocketVerifier
-
- All Implemented Interfaces:
javax.net.ssl.HostnameVerifier
@NotMutable @ThreadSafety(level=COMPLETELY_THREADSAFE) public final class HostNameSSLSocketVerifier extends SSLSocketVerifier implements javax.net.ssl.HostnameVerifier
This class provides an implementation of anSSLSocket
verifier that will verify that the presented server certificate includes the address to which the client intended to establish a connection. It will check the CN attribute of the certificate subject, as well as certain subjectAltName extensions, including dNSName, uniformResourceIdentifier, and iPAddress.
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
PROPERTY_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT
The name of a system property that can be used to specify the default behavior that the verifier should exhibit when checking certificates that contain both a CN attribute in the subject DN and a subject alternative name extension that contains one or more dNSName, uniformResourceIdentifier, or iPAddress values.
-
Constructor Summary
Constructors Constructor Description HostNameSSLSocketVerifier(boolean allowWildcards)
Creates a new instance of thisSSLSocket
verifier.HostNameSSLSocketVerifier(boolean allowWildcards, boolean checkCNWhenSubjectAltNameIsPresent)
Creates a new instance of thisSSLSocket
verifier.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
verify(java.lang.String hostname, javax.net.ssl.SSLSession session)
Verifies that the provided hostname is acceptable for use with the negotiated SSL session.void
verifySSLSocket(java.lang.String host, int port, javax.net.ssl.SSLSocket sslSocket)
Verifies that the providedSSLSocket
is acceptable and the connection should be allowed to remain established.
-
-
-
Field Detail
-
PROPERTY_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT
@NotNull public static final java.lang.String PROPERTY_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT
The name of a system property that can be used to specify the default behavior that the verifier should exhibit when checking certificates that contain both a CN attribute in the subject DN and a subject alternative name extension that contains one or more dNSName, uniformResourceIdentifier, or iPAddress values. Although RFC 6125 section 6.4.4 indicates that the CN attribute should not be checked in certificates that have an appropriate subject alternative name extension, LDAP clients historically treat both sources as equally valid.
-
-
Constructor Detail
-
HostNameSSLSocketVerifier
public HostNameSSLSocketVerifier(boolean allowWildcards)
Creates a new instance of thisSSLSocket
verifier.- Parameters:
allowWildcards
- Indicates whether to allow wildcard certificates that contain an asterisk in the leftmost component of a hostname in the dNSName or uniformResourceIdentifier of the subject alternative name extension, or in the CN attribute of the subject DN.
-
HostNameSSLSocketVerifier
public HostNameSSLSocketVerifier(boolean allowWildcards, boolean checkCNWhenSubjectAltNameIsPresent)
Creates a new instance of thisSSLSocket
verifier.- Parameters:
allowWildcards
- Indicates whether to allow wildcard certificates that contain an asterisk in the leftmost component of a hostname in the dNSName or uniformResourceIdentifier of the subject alternative name extension, or in the CN attribute of the subject DN.checkCNWhenSubjectAltNameIsPresent
- Indicates whether to check the CN attribute in the peer certificate's subject DN if the certificate also contains a subject alternative name extension that contains at least one dNSName, uniformResourceIdentifier, or iPAddress value. Although RFC 6125 section 6.4.4 indicates that the CN attribute should not be checked in certificates that have an appropriate subject alternative name extension, LDAP clients historically treat both sources as equally valid.
-
-
Method Detail
-
verifySSLSocket
public void verifySSLSocket(@NotNull java.lang.String host, int port, @NotNull javax.net.ssl.SSLSocket sslSocket) throws LDAPException
Verifies that the providedSSLSocket
is acceptable and the connection should be allowed to remain established.- Specified by:
verifySSLSocket
in classSSLSocketVerifier
- Parameters:
host
- The address to which the client intended the connection to be established.port
- The port to which the client intended the connection to be established.sslSocket
- TheSSLSocket
that should be verified.- Throws:
LDAPException
- If a problem is identified that should prevent the providedSSLSocket
from remaining established.
-
verify
public boolean verify(@NotNull java.lang.String hostname, @NotNull javax.net.ssl.SSLSession session)
Verifies that the provided hostname is acceptable for use with the negotiated SSL session.- Specified by:
verify
in interfacejavax.net.ssl.HostnameVerifier
- Parameters:
hostname
- The address to which the client intended the connection to be established.session
- The SSL session that was established.
-
-