本文介绍了HostnameVerifier与TrustManager?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

在什么情况下,Java中会在 TrustManager 上使用 HostnameVerifier ?是否推荐其中一个?查看Java文档(接口HostnameVerifier Interface TrustManager ),我无法确定什么时候最好使用它(尽管 TrustManager 似乎更通用).

Under what circumstances would one use a HostnameVerifier over a TrustManager in Java? Is one recommended over the other? Looking at the Java docs (Interface HostnameVerifier and Interface TrustManager), I can't tell when its best to use either (though the TrustManager seems more versatile).

过去,我一直使用自定义的 TrustManager .但是,我注意到 Java中的Heartbleed漏洞同时使用了这两种方法(但我不认为这是正确的)

In the past, I have always used a custom TrustManager. However, I noticed Heartbleed exploit in java uses both (but I don't think its correct).

编辑:使用 HostnameVerifier 时,是否还会执行其他常规X509检查,例如路径构建,到期和吊销(如果已配置)?我想我本质上是在问 HostnameVerifier 是否补充了其他检查(而不是替换它们).

EDIT: when using HostnameVerifier, are the other customary X509 checks performed, like path building and expiration and revocation (if configured)? I think I am essentially asking if HostnameVerifier supplements the other checks (rather than replacing them).

例如,假设开发服务器位于 dev.example.com 上,并且其服务器由内部CA签名. dev.example.com 的证书中有一个DNS名称,以及它的 dev.example.com .此外,假设我以 192.168.1.10 连接到它.我可以使用 HostnameVerifier 允许 dev.example.com 192.168.1.10 吗?在这种情况下,是否允许使用附加名称​​ 并执行其他常规X509检查?

For example, suppose a dev server is at dev.example.com and its signed by an internal CA. There's one DNS name in dev.example.com's certificate, and its dev.example.com. Further, suppose I connect to it as 192.168.1.10. Could I use a HostnameVerifier to allow both dev.example.com and 192.168.1.10? In this scenario, is the additional name allowed and are the other customary X509 checks are performed?

推荐答案

从不.他们做不同的事情.TrustManage对证书进行身份验证,作为SSL的一部分.HostnameVerifier验证主机名是否是HTTPS的一部分.他们没有参加比赛.

Never. They do different things. TrustManage authenticates certificates as part of SSL. HostnameVerifier verifies host names as part of HTTPS. They're not in competition.

否.

编辑

  • TrustManager 在TLS握手期间运行.如果指示失败,则握手中止并且连接失败.
  • HostnameVerifier 在TLS握手后 上运行,该连接从TLS角度来看已经是有效的TLS连接,因此,此时您知道证书是有效,由受信任的发行者签名,未过期(?)等,您要做的就是确定(a)是否来自正确的服务器,以及(b)您是否信任该服务器.您可能会在 TrustManager 内执行(b),但更常见的是,您根本不会提供自己的 TrustManager .
  • The TrustManager runs during the TLS handshake. If it indicates failure, the handshake is aborted and the connect fails.
  • The HostnameVerifier runs after the TLS handshake, over a TLS connection that is already valid from the TLS point of view, so at that point you know that the certificate is valid, signed by a trusted issuer, non-expired (?), etc., and all you have to do is decide (a) whether it's from the correct server and (b) whether you trust that server. You might do (b) inside a TrustManager, but far more commonly you wouldn't provide your own TrustManager at all.

这篇关于HostnameVerifier与TrustManager?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

06-30 14:46