问题描述

在什么情况下，Java中会在 TrustManager 上使用 HostnameVerifier ?是否推荐其中一个?查看Java文档(接口HostnameVerifier 和 Interface TrustManager )，我无法确定什么时候最好使用它(尽管 TrustManager 似乎更通用).

Under what circumstances would one use a HostnameVerifier over a TrustManager in Java? Is one recommended over the other? Looking at the Java docs (Interface HostnameVerifier and Interface TrustManager), I can't tell when its best to use either (though the TrustManager seems more versatile).

过去，我一直使用自定义的 TrustManager .但是，我注意到 Java中的Heartbleed漏洞同时使用了这两种方法(但我不认为这是正确的)

In the past, I have always used a custom TrustManager. However, I noticed Heartbleed exploit in java uses both (but I don't think its correct).

编辑:使用 HostnameVerifier 时，是否还会执行其他常规X509检查，例如路径构建，到期和吊销(如果已配置)?我想我本质上是在问 HostnameVerifier 是否补充了其他检查(而不是替换它们).

EDIT: when using HostnameVerifier, are the other customary X509 checks performed, like path building and expiration and revocation (if configured)? I think I am essentially asking if HostnameVerifier supplements the other checks (rather than replacing them).

例如，假设开发服务器位于 dev.example.com 上，并且其服务器由内部CA签名. dev.example.com 的证书中有一个DNS名称，以及它的 dev.example.com .此外，假设我以 192.168.1.10 连接到它.我可以使用 HostnameVerifier 允许 dev.example.com 和 192.168.1.10 吗?在这种情况下，是否允许使用附加名称​​ 并执行其他常规X509检查?

For example, suppose a dev server is at dev.example.com and its signed by an internal CA. There's one DNS name in dev.example.com's certificate, and its dev.example.com. Further, suppose I connect to it as 192.168.1.10. Could I use a HostnameVerifier to allow both dev.example.com and 192.168.1.10? In this scenario, is the additional name allowed and are the other customary X509 checks are performed?

推荐答案

从不.他们做不同的事情.TrustManage对证书进行身份验证，作为SSL的一部分.HostnameVerifier验证主机名是否是HTTPS的一部分.他们没有参加比赛.

Never. They do different things. TrustManage authenticates certificates as part of SSL. HostnameVerifier verifies host names as part of HTTPS. They're not in competition.

否.

编辑

• TrustManager 在TLS握手期间运行.如果指示失败，则握手中止并且连接失败.
• HostnameVerifier 在TLS握手后 上运行，该连接从TLS角度来看已经是有效的TLS连接，因此，此时您知道证书是有效，由受信任的发行者签名，未过期(?)等，您要做的就是确定(a)是否来自正确的服务器，以及(b)您是否信任该服务器.您可能会在 TrustManager 内执行(b)，但更常见的是，您根本不会提供自己的 TrustManager .

• The TrustManager runs during the TLS handshake. If it indicates failure, the handshake is aborted and the connect fails.
• The HostnameVerifier runs after the TLS handshake, over a TLS connection that is already valid from the TLS point of view, so at that point you know that the certificate is valid, signed by a trusted issuer, non-expired (?), etc., and all you have to do is decide (a) whether it's from the correct server and (b) whether you trust that server. You might do (b) inside a TrustManager, but far more commonly you wouldn't provide your own TrustManager at all.

这篇关于HostnameVerifier与TrustManager?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！