@NotMutable @ThreadSafety(level=COMPLETELY_THREADSAFE) public final class HostNameSSLSocketVerifier extends SSLSocketVerifier implements javax.net.ssl.HostnameVerifier
SSLSocket verifier that
will verify that the presented server certificate includes the address to
which the client intended to establish a connection. It will check the CN
attribute of the certificate subject, as well as certain subjectAltName
extensions, including dNSName, uniformResourceIdentifier, and iPAddress.| Modifier and Type | Field and Description |
|---|---|
static java.lang.String |
PROPERTY_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT
The name of a system property that can be used to specify the default
behavior that the verifier should exhibit when checking certificates that
contain both a CN attribute in the subject DN and a subject alternative
name extension that contains one or more dNSName,
uniformResourceIdentifier, or iPAddress values.
|
| Constructor and Description |
|---|
HostNameSSLSocketVerifier(boolean allowWildcards)
Creates a new instance of this
SSLSocket verifier. |
HostNameSSLSocketVerifier(boolean allowWildcards,
boolean checkCNWhenSubjectAltNameIsPresent)
Creates a new instance of this
SSLSocket verifier. |
| Modifier and Type | Method and Description |
|---|---|
boolean |
verify(java.lang.String hostname,
javax.net.ssl.SSLSession session)
Verifies that the provided hostname is acceptable for use with the
negotiated SSL session.
|
void |
verifySSLSocket(java.lang.String host,
int port,
javax.net.ssl.SSLSocket sslSocket)
Verifies that the provided
SSLSocket is acceptable and the
connection should be allowed to remain established. |
@NotNull public static final java.lang.String PROPERTY_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT
public HostNameSSLSocketVerifier(boolean allowWildcards)
SSLSocket verifier.allowWildcards - Indicates whether to allow wildcard certificates
that contain an asterisk in the leftmost component
of a hostname in the dNSName or
uniformResourceIdentifier of the subject
alternative name extension, or in the CN attribute
of the subject DN.public HostNameSSLSocketVerifier(boolean allowWildcards, boolean checkCNWhenSubjectAltNameIsPresent)
SSLSocket verifier.allowWildcards - Indicates whether to allow wildcard certificates that contain
an asterisk in the leftmost component of a hostname in the
dNSName or uniformResourceIdentifier of the subject
alternative name extension, or in the CN attribute of the
subject DN.checkCNWhenSubjectAltNameIsPresent - Indicates whether to check the CN attribute in the peer
certificate's subject DN if the certificate also contains a
subject alternative name extension that contains at least one
dNSName, uniformResourceIdentifier, or iPAddress value.
Although RFC 6125 section 6.4.4 indicates that the CN
attribute should not be checked in certificates that have an
appropriate subject alternative name extension, LDAP clients
historically treat both sources as equally valid.public void verifySSLSocket(@NotNull java.lang.String host, int port, @NotNull javax.net.ssl.SSLSocket sslSocket) throws LDAPException
SSLSocket is acceptable and the
connection should be allowed to remain established.verifySSLSocket in class SSLSocketVerifierhost - The address to which the client intended the connection
to be established.port - The port to which the client intended the connection to
be established.sslSocket - The SSLSocket that should be verified.LDAPException - If a problem is identified that should prevent the
provided SSLSocket from remaining
established.public boolean verify(@NotNull java.lang.String hostname, @NotNull javax.net.ssl.SSLSession session)
verify in interface javax.net.ssl.HostnameVerifierhostname - The address to which the client intended the connection
to be established.session - The SSL session that was established.