Skip to content

HTTPCLIENT-2353: Fix IDN hostname mismatch by normalizing host and identity with IDN#607

Merged
arturobernalg merged 1 commit intoapache:masterfrom
arturobernalg:HTTPCLIENT-2353
Jan 6, 2025
Merged

HTTPCLIENT-2353: Fix IDN hostname mismatch by normalizing host and identity with IDN#607
arturobernalg merged 1 commit intoapache:masterfrom
arturobernalg:HTTPCLIENT-2353

Conversation

@arturobernalg
Copy link
Member

@arturobernalg arturobernalg commented Jan 4, 2025

Normalize Unicode and punycode strings before comparing host and certificate identities. This approach ensures domains like поиск-слов.рф properly match their punycode equivalents.

@arturobernalg arturobernalg requested a review from ok2c January 4, 2025 12:58
ok2c
ok2c reviewed Jan 5, 2025
View reviewed changes
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java Outdated
final DomainType domainType,
final boolean strict) {

final String punycodeHost;
Copy link
Member

@ok2c ok2c Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg Could we do it the other way around and convert identity from punycode to Unicode instead?

Copy link
Member Author

@arturobernalg arturobernalg Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ok2c you mean Instead of converting both strings to punycode, bring both into the same Unicode form—i.e., use IDN.toUnicode(...) rather than toASCII(...) ???

Copy link
Member

@ok2c ok2c Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ok2c you mean Instead of converting both strings to punycode, bring both into the same Unicode form—i.e., use IDN.toUnicode(...) rather than toASCII(...) ???

@arturobernalg That is exactly what I mean. This way one would not need to normalize the hostname as it is has already been normalized to Unicode at the construction time.

Copy link
Member Author

@arturobernalg arturobernalg Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ok2c changed. please take another look

ok2c
ok2c approved these changes Jan 5, 2025
View reviewed changes
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java Outdated
final DomainType domainType,
final boolean strict) {

final String unicodeIdentity;
Copy link
Member

@ok2c ok2c Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unicodeIdentity -> normalizedIdentity would be a better name?

Copy link
Member Author

@arturobernalg arturobernalg Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@ok2c
Copy link
Member

ok2c commented Jan 5, 2025

@arturobernalg Please note we still have a problem with punycode encoded hostname resolution. We might address it in a separate PR though.

@arturobernalg
Copy link
Member Author

arturobernalg commented Jan 5, 2025

@arturobernalg Please note we still have a problem with punycode encoded hostname resolution. We might address it in a separate PR though.

@ok2c I have fixed the test within this PR.

@arturobernalg arturobernalg requested a review from ok2c January 5, 2025 11:31
ok2c
ok2c requested changes Jan 5, 2025
View reviewed changes
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java Outdated
final String normalizedHost;
final String normalizedIdentity;
try {
normalizedHost = IDN.toUnicode(host);
Copy link
Member

@ok2c ok2c Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg This is unnecessary. The hostname has already been normalized. Please see Host and HttpHost classes

Copy link
Member Author

@arturobernalg arturobernalg Jan 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ok2c
you right. changed. Please do another pass

@arturobernalg
HTTPCLIENT-2353: Fix IDN hostname mismatch by normalizing identity wi…
0f40601 
…th IDN.toUnicode before comparison so that Unicode and punycode forms match correctly.
@arturobernalg arturobernalg requested a review from ok2c January 5, 2025 18:40
ok2c
ok2c approved these changes Jan 5, 2025
View reviewed changes
Copy link
Member

@ok2c ok2c left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg Looks good to me

@arturobernalg arturobernalg merged commit 9e3559e into apache:master Jan 6, 2025
10 checks passed
@ok2c
Copy link
Member

ok2c commented Jan 6, 2025

@arturobernalg Please also cherry-pick this commit to 5.4.x

@arturobernalg
Copy link
Member Author

arturobernalg commented Jan 6, 2025

@arturobernalg Looks good to me

@ok2c on it

arturobernalg added a commit that referenced this pull request Jan 6, 2025
@arturobernalg
HTTPCLIENT-2353: Fix IDN hostname mismatch by normalizing identity wi…
3fa07f1 
…th IDN.toUnicode before comparison so that Unicode and punycode forms match correctly. (#607)

(cherry picked from commit 9e3559e)
@arturobernalg
Copy link
Member Author

arturobernalg commented Jan 6, 2025

@arturobernalg Looks good to me

@ok2c on it

Cherry-picked to 5.4.x

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ok2c ok2c ok2c approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arturobernalg @ok2c