402 hostname = hostname.substring(1, hostname.length() - 1); |
402 hostname = hostname.substring(1, hostname.length() - 1); |
403 } |
403 } |
404 try { |
404 try { |
405 HostnameChecker checker = HostnameChecker.getInstance( |
405 HostnameChecker checker = HostnameChecker.getInstance( |
406 HostnameChecker.TYPE_LDAP); |
406 HostnameChecker.TYPE_LDAP); |
407 // Use ciphersuite to determine whether Kerberos is active. |
407 // get the subject's certificate |
408 if (session.getCipherSuite().startsWith("TLS_KRB5")) { |
408 certs = session.getPeerCertificates(); |
409 Principal principal = getPeerPrincipal(session); |
409 X509Certificate peerCert; |
410 if (!HostnameChecker.match(hostname, principal)) { |
410 if (certs[0] instanceof java.security.cert.X509Certificate) { |
411 throw new SSLPeerUnverifiedException( |
411 peerCert = (java.security.cert.X509Certificate) certs[0]; |
412 "hostname of the kerberos principal:" + principal + |
412 } else { |
413 " does not match the hostname:" + hostname); |
413 throw new SSLPeerUnverifiedException( |
414 } |
414 "Received a non X509Certificate from the server"); |
415 } else { // X.509 |
415 } |
416 |
416 checker.match(hostname, peerCert); |
417 // get the subject's certificate |
|
418 certs = session.getPeerCertificates(); |
|
419 X509Certificate peerCert; |
|
420 if (certs[0] instanceof java.security.cert.X509Certificate) { |
|
421 peerCert = (java.security.cert.X509Certificate) certs[0]; |
|
422 } else { |
|
423 throw new SSLPeerUnverifiedException( |
|
424 "Received a non X509Certificate from the server"); |
|
425 } |
|
426 checker.match(hostname, peerCert); |
|
427 } |
|
428 |
417 |
429 // no exception means verification passed |
418 // no exception means verification passed |
430 return true; |
419 return true; |
431 } catch (SSLPeerUnverifiedException e) { |
420 } catch (SSLPeerUnverifiedException e) { |
432 |
421 |