问题描述
在什么情况下,Java中会在 TrustManager
上使用 HostnameVerifier
?是否推荐其中一个?查看Java文档(接口HostnameVerifier 和 Interface TrustManager ),我无法确定什么时候最好使用它(尽管 TrustManager
似乎更通用).
Under what circumstances would one use a HostnameVerifier
over a TrustManager
in Java? Is one recommended over the other? Looking at the Java docs (Interface HostnameVerifier and Interface TrustManager), I can't tell when its best to use either (though the TrustManager
seems more versatile).
过去,我一直使用自定义的 TrustManager
.但是,我注意到 Java中的Heartbleed漏洞同时使用了这两种方法(但我不认为这是正确的)
In the past, I have always used a custom TrustManager
. However, I noticed Heartbleed exploit in java uses both (but I don't think its correct).
编辑:使用 HostnameVerifier
时,是否还会执行其他常规X509检查,例如路径构建,到期和吊销(如果已配置)?我想我本质上是在问 HostnameVerifier
是否补充了其他检查(而不是替换它们).
EDIT: when using HostnameVerifier
, are the other customary X509 checks performed, like path building and expiration and revocation (if configured)? I think I am essentially asking if HostnameVerifier
supplements the other checks (rather than replacing them).
例如,假设开发服务器位于 dev.example.com
上,并且其服务器由内部CA签名. dev.example.com
的证书中有一个DNS名称,以及它的 dev.example.com
.此外,假设我以 192.168.1.10
连接到它.我可以使用 HostnameVerifier
允许 dev.example.com
和 192.168.1.10
吗?在这种情况下,是否允许使用附加名称 并执行其他常规X509检查?
For example, suppose a dev server is at dev.example.com
and its signed by an internal CA. There's one DNS name in dev.example.com
's certificate, and its dev.example.com
. Further, suppose I connect to it as 192.168.1.10
. Could I use a HostnameVerifier
to allow both dev.example.com
and 192.168.1.10
? In this scenario, is the additional name allowed and are the other customary X509 checks are performed?
推荐答案
从不.他们做不同的事情.TrustManage对证书进行身份验证,作为SSL的一部分.HostnameVerifier验证主机名是否是HTTPS的一部分.他们没有参加比赛.
Never. They do different things. TrustManage authenticates certificates as part of SSL. HostnameVerifier verifies host names as part of HTTPS. They're not in competition.
否.
编辑
-
TrustManager
在TLS握手期间运行.如果指示失败,则握手中止并且连接失败. -
HostnameVerifier
在TLS握手后 上运行,该连接从TLS角度来看已经是有效的TLS连接,因此,此时您知道证书是有效,由受信任的发行者签名,未过期(?)等,您要做的就是确定(a)是否来自正确的服务器,以及(b)您是否信任该服务器.您可能会在TrustManager
内执行(b),但更常见的是,您根本不会提供自己的TrustManager
.
- The
TrustManager
runs during the TLS handshake. If it indicates failure, the handshake is aborted and the connect fails. - The
HostnameVerifier
runs after the TLS handshake, over a TLS connection that is already valid from the TLS point of view, so at that point you know that the certificate is valid, signed by a trusted issuer, non-expired (?), etc., and all you have to do is decide (a) whether it's from the correct server and (b) whether you trust that server. You might do (b) inside aTrustManager,
but far more commonly you wouldn't provide your ownTrustManager
at all.
这篇关于HostnameVerifier与TrustManager?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!