Skip to content

HTTPCLIENT-2353: Fix IDN hostname mismatch by normalizing host and identity with IDN #607

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
arturobernalg merged 1 commit into from
Jan 6, 2025
Merged

HTTPCLIENT-2353: Fix IDN hostname mismatch by normalizing host and identity with IDN #607

arturobernalg merged 1 commit into from
Jan 6, 2025

Conversation

@arturobernalg
Copy link
Member

@arturobernalg arturobernalg commented Jan 4, 2025

Normalize Unicode and punycode strings before comparing host and certificate identities. This approach ensures domains like поиск-слов.рф properly match their punycode equivalents.

@arturobernalg arturobernalg requested a review from ok2c January 4, 2025 12:58
ok2c
ok2c reviewed Jan 5, 2025
View reviewed changes
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java Outdated
final DomainType domainType,
final boolean strict) {

final String punycodeHost;
Copy link
Member

@ok2c ok2c Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg Could we do it the other way around and convert identity from punycode to Unicode instead?

Copy link
Member Author

@arturobernalg arturobernalg Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ok2c you mean Instead of converting both strings to punycode, bring both into the same Unicode form—i.e., use IDN.toUnicode(...) rather than toASCII(...) ???

Copy link
Member

@ok2c ok2c Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ok2c you mean Instead of converting both strings to punycode, bring both into the same Unicode form—i.e., use IDN.toUnicode(...) rather than toASCII(...) ???

@arturobernalg That is exactly what I mean. This way one would not need to normalize the hostname as it is has already been normalized to Unicode at the construction time.

Copy link
Member Author

@arturobernalg arturobernalg Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ok2c changed. please take another look

ok2c
ok2c approved these changes Jan 5, 2025
View reviewed changes
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java Outdated
final DomainType domainType,
final boolean strict) {

final String unicodeIdentity;
Copy link
Member

@ok2c ok2c Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unicodeIdentity -> normalizedIdentity would be a better name?

Copy link
Member Author

@arturobernalg arturobernalg Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@ok2c
Copy link
Member

ok2c commented Jan 5, 2025

@arturobernalg Please note we still have a problem with punycode encoded hostname resolution. We might address it in a separate PR though.

@arturobernalg
Copy link
Member Author

arturobernalg commented Jan 5, 2025

@arturobernalg Please note we still have a problem with punycode encoded hostname resolution. We might address it in a separate PR though.

@ok2c I have fixed the test within this PR.

@arturobernalg arturobernalg requested a review from ok2c January 5, 2025 11:31
ok2c
ok2c requested changes Jan 5, 2025
View reviewed changes
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java Outdated
final String normalizedHost;
final String normalizedIdentity;
try {
normalizedHost = IDN.toUnicode(host);
Copy link
Member

@ok2c ok2c Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg This is unnecessary. The hostname has already been normalized. Please see Host and HttpHost classes

Copy link
Member Author

@arturobernalg arturobernalg Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ok2c
you right. changed. Please do another pass

@arturobernalg
HTTPCLIENT-2353: Fix IDN hostname mismatch by normalizing identity wi…
0f40601 
…th IDN.toUnicode before comparison so that Unicode and punycode forms match correctly.
@arturobernalg arturobernalg requested a review from ok2c January 5, 2025 18:40
ok2c
ok2c approved these changes Jan 5, 2025
View reviewed changes
Copy link
Member

@ok2c ok2c left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg Looks good to me

@arturobernalg arturobernalg merged commit 9e3559e into apache:master Jan 6, 2025
10 checks passed
@ok2c
Copy link
Member

ok2c commented Jan 6, 2025

@arturobernalg Please also cherry-pick this commit to 5.4.x

@arturobernalg
Copy link
Member Author

arturobernalg commented Jan 6, 2025

@arturobernalg Looks good to me

@ok2c on it

arturobernalg added a commit that referenced this pull request Jan 6, 2025
@arturobernalg
HTTPCLIENT-2353: Fix IDN hostname mismatch by normalizing identity wi…
3fa07f1 
…th IDN.toUnicode before comparison so that Unicode and punycode forms match correctly. (#607)

(cherry picked from commit 9e3559e)
@arturobernalg
Copy link
Member Author

arturobernalg commented Jan 6, 2025

@arturobernalg Looks good to me

@ok2c on it

Cherry-picked to 5.4.x

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ok2c ok2c ok2c approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arturobernalg @ok2c