Package com.github.shyiko.mysql.binlog.network

Interface HostnameChecker

  • All Superinterfaces:
    HostnameVerifier
    All Known Implementing Classes:
    HostnameChecker.AbstractChecker
    public interface HostnameChecker
extends HostnameVerifier
    Interface for checking if a hostname matches the names stored inside the server's X.509 certificate. Correctly implements javax.net.ssl.HostnameVerifier, but that interface is not recommended. Instead we added several check() methods that take SSLSocket, or X509Certificate, or ultimately (they all end up calling this one), String. (It's easier to supply JUnit with Strings instead of mock SSLSession objects!)

    Our check() methods throw exceptions if the name is invalid, whereas javax.net.ssl.HostnameVerifier just returns true/false.

    We provide the HostnameVerifier.DEFAULT, HostnameVerifier.STRICT, and HostnameVerifier.ALLOW_ALL implementations. We also provide the more specialized HostnameVerifier.DEFAULT_AND_LOCALHOST, as well as HostnameVerifier.STRICT_IE6. But feel free to define your own implementations!

    Inspired by Sebastian Hauer's original StrictSSLProtocolSocketFactory in the HttpClient "contrib" repository.

    Since:
    8-Dec-2006
    Author:
    Julius Davies, Sebastian Hauer

    • Field Detail

      • DEFAULT

        static final HostnameChecker DEFAULT
        The DEFAULT HostnameVerifier works the same way as Curl and Firefox.

        The hostname must match either the first CN, or any of the subject-alts. A wildcard can occur in the CN, and in any of the subject-alts.

        The only difference between DEFAULT and STRICT is that a wildcard (such as "*.foo.com") with DEFAULT matches all subdomains, including "a.b.foo.com".

      • DEFAULT_AND_LOCALHOST

        static final HostnameChecker DEFAULT_AND_LOCALHOST
        The DEFAULT_AND_LOCALHOST HostnameVerifier works like the DEFAULT one with one additional relaxation: a host of "localhost", "localhost.localdomain", "127.0.0.1", "::1" will always pass, no matter what is in the server's certificate.

      • STRICT

        static final HostnameChecker STRICT
        The STRICT HostnameVerifier works the same way as java.net.URL in Sun Java 1.4, Sun Java 5, Sun Java 6. It's also pretty close to IE6. This implementation appears to be compliant with RFC 2818 for dealing with wildcards.

        The hostname must match either the first CN, or any of the subject-alts. A wildcard can occur in the CN, and in any of the subject-alts. The one divergence from IE6 is how we only check the first CN. IE6 allows a match against any of the CNs present. We decided to follow in Sun Java 1.4's footsteps and only check the first CN.

        A wildcard such as "*.foo.com" matches only subdomains in the same level, for example "a.foo.com". It does not match deeper subdomains such as "a.b.foo.com".

      • STRICT_IE6

        static final HostnameChecker STRICT_IE6
        The STRICT_IE6 HostnameVerifier works just like the STRICT one with one minor variation: the hostname can match against any of the CN's in the server's certificate, not just the first one. This behaviour is identical to IE6's behaviour.

      • ALLOW_ALL

        static final HostnameChecker ALLOW_ALL
        The ALLOW_ALL HostnameVerifier essentially turns hostname verification off. This implementation is a no-op, and never throws the SSLException.