Class HostNameSSLSocketVerifier

  • All Implemented Interfaces:
    javax.net.ssl.HostnameVerifier

    @NotMutable
    @ThreadSafety(level=COMPLETELY_THREADSAFE)
    public final class HostNameSSLSocketVerifier
    extends SSLSocketVerifier
    implements javax.net.ssl.HostnameVerifier
    This class provides an implementation of an SSLSocket verifier that will verify that the presented server certificate includes the address to which the client intended to establish a connection. It will check the CN attribute of the certificate subject, as well as certain subjectAltName extensions, including dNSName, uniformResourceIdentifier, and iPAddress.
    • Field Summary

      Fields 
      Modifier and Type Field Description
      static java.lang.String PROPERTY_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT
      The name of a system property that can be used to specify the default behavior that the verifier should exhibit when checking certificates that contain both a CN attribute in the subject DN and a subject alternative name extension that contains one or more dNSName, uniformResourceIdentifier, or iPAddress values.
    • Constructor Summary

      Constructors 
      Constructor Description
      HostNameSSLSocketVerifier​(boolean allowWildcards)
      Creates a new instance of this SSLSocket verifier.
      HostNameSSLSocketVerifier​(boolean allowWildcards, boolean checkCNWhenSubjectAltNameIsPresent)
      Creates a new instance of this SSLSocket verifier.
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      boolean verify​(java.lang.String hostname, javax.net.ssl.SSLSession session)
      Verifies that the provided hostname is acceptable for use with the negotiated SSL session.
      void verifySSLSocket​(java.lang.String host, int port, javax.net.ssl.SSLSocket sslSocket)
      Verifies that the provided SSLSocket is acceptable and the connection should be allowed to remain established.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • PROPERTY_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT

        @NotNull
        public static final java.lang.String PROPERTY_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT
        The name of a system property that can be used to specify the default behavior that the verifier should exhibit when checking certificates that contain both a CN attribute in the subject DN and a subject alternative name extension that contains one or more dNSName, uniformResourceIdentifier, or iPAddress values. Although RFC 6125 section 6.4.4 indicates that the CN attribute should not be checked in certificates that have an appropriate subject alternative name extension, LDAP clients historically treat both sources as equally valid.
    • Constructor Detail

      • HostNameSSLSocketVerifier

        public HostNameSSLSocketVerifier​(boolean allowWildcards)
        Creates a new instance of this SSLSocket verifier.
        Parameters:
        allowWildcards - Indicates whether to allow wildcard certificates that contain an asterisk in the leftmost component of a hostname in the dNSName or uniformResourceIdentifier of the subject alternative name extension, or in the CN attribute of the subject DN.
      • HostNameSSLSocketVerifier

        public HostNameSSLSocketVerifier​(boolean allowWildcards,
                                         boolean checkCNWhenSubjectAltNameIsPresent)
        Creates a new instance of this SSLSocket verifier.
        Parameters:
        allowWildcards - Indicates whether to allow wildcard certificates that contain an asterisk in the leftmost component of a hostname in the dNSName or uniformResourceIdentifier of the subject alternative name extension, or in the CN attribute of the subject DN.
        checkCNWhenSubjectAltNameIsPresent - Indicates whether to check the CN attribute in the peer certificate's subject DN if the certificate also contains a subject alternative name extension that contains at least one dNSName, uniformResourceIdentifier, or iPAddress value. Although RFC 6125 section 6.4.4 indicates that the CN attribute should not be checked in certificates that have an appropriate subject alternative name extension, LDAP clients historically treat both sources as equally valid.
    • Method Detail

      • verifySSLSocket

        public void verifySSLSocket​(@NotNull
                                    java.lang.String host,
                                    int port,
                                    @NotNull
                                    javax.net.ssl.SSLSocket sslSocket)
                             throws LDAPException
        Verifies that the provided SSLSocket is acceptable and the connection should be allowed to remain established.
        Specified by:
        verifySSLSocket in class SSLSocketVerifier
        Parameters:
        host - The address to which the client intended the connection to be established.
        port - The port to which the client intended the connection to be established.
        sslSocket - The SSLSocket that should be verified.
        Throws:
        LDAPException - If a problem is identified that should prevent the provided SSLSocket from remaining established.
      • verify

        public boolean verify​(@NotNull
                              java.lang.String hostname,
                              @NotNull
                              javax.net.ssl.SSLSession session)
        Verifies that the provided hostname is acceptable for use with the negotiated SSL session.
        Specified by:
        verify in interface javax.net.ssl.HostnameVerifier
        Parameters:
        hostname - The address to which the client intended the connection to be established.
        session - The SSL session that was established.