VYPR
← All advisories
High severityNVD Advisory· Published Sep 4, 2014· Updated May 6, 2026

CVE-2012-6153

CVE-2012-6153

Description

http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.httpcomponents:httpclientMaven
< 4.2.34.2.3

Affected products

2

Patches

2
6e14fc146a66

Fixed CN extraction from DN of X500 principal

https://github.com/apache/httpcomponents-clientOleg KalnichevskiNov 20, 2012via ghsa
commit
2 files changed · +24 7
  • httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java+8 6 modified
    @@ -178,12 +178,12 @@ public final void verify(final String host, final String[] cns,
 
         // We're can be case-insensitive when comparing the host we used to
         // establish the socket to the hostname in the certificate.
-        String hostName = host.trim().toLowerCase(Locale.ENGLISH);
+        String hostName = host.trim().toLowerCase(Locale.US);
         boolean match = false;
         for(Iterator<String> it = names.iterator(); it.hasNext();) {
             // Don't trim the CN, though!
             String cn = it.next();
-            cn = cn.toLowerCase(Locale.ENGLISH);
+            cn = cn.toLowerCase(Locale.US);
             // Store CN in StringBuilder in case we need to report an error.
             buf.append(" <");
             buf.append(cn);
@@ -260,13 +260,15 @@ whereas toString() gives me this:
            Looks like toString() even works with non-ascii domain names!
            I tested it with "&#x82b1;&#x5b50;.co.jp" and it worked fine.
         */
+
         String subjectPrincipal = cert.getSubjectX500Principal().toString();
         StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
         while(st.hasMoreTokens()) {
-            String tok = st.nextToken();
-            int x = tok.indexOf("CN=");
-            if(x >= 0) {
-                cnList.add(tok.substring(x + 3));
+            String tok = st.nextToken().trim();
+            if (tok.length() > 3) {
+                if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
+                    cnList.add(tok.substring(3));
+                }
             }
         }
         if(!cnList.isEmpty()) {
  • httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java+16 1 modified
    @@ -29,6 +29,7 @@
 
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
+import java.security.Principal;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
@@ -37,6 +38,7 @@
 
 import org.junit.Assert;
 import org.junit.Test;
+import org.mockito.Mockito;
 
 /**
  * Unit tests for {@link X509HostnameVerifier}.
@@ -336,7 +338,7 @@ private void checkWildcard(String host, boolean isOK) {
 
     @Test
     // Various checks of 2TLDs
-    public void testacceptableCountryWildcards() {
+    public void testAcceptableCountryWildcards() {
         checkWildcard("*.co.org", true); // Not a 2 character TLD
         checkWildcard("s*.co.org", true); // Not a 2 character TLD
         checkWildcard("*.co.uk", false); // 2 character TLD, invalid 2TLD
@@ -345,4 +347,17 @@ public void testacceptableCountryWildcards() {
         checkWildcard("*.a.co.uk", true); // 2 character TLD, invalid 2TLD, but using subdomain
         checkWildcard("s*.a.co.uk", true); // 2 character TLD, invalid 2TLD, but using subdomain
     }
+
+    public void testGetCNs() {
+        Principal principal = Mockito.mock(Principal.class);
+        X509Certificate cert = Mockito.mock(X509Certificate.class);
+        Mockito.when(cert.getSubjectDN()).thenReturn(principal);
+        Mockito.when(principal.toString()).thenReturn("bla,  bla, blah");
+        Assert.assertArrayEquals(new String[] {}, AbstractVerifier.getCNs(cert));
+        Mockito.when(principal.toString()).thenReturn("Cn=,  Cn=  , CN, OU=CN=");
+        Assert.assertArrayEquals(new String[] {}, AbstractVerifier.getCNs(cert));
+        Mockito.when(principal.toString()).thenReturn("  Cn=blah,  CN= blah , OU=CN=yada");
+        Assert.assertArrayEquals(new String[] {"blah", " blah"}, AbstractVerifier.getCNs(cert));
+    }
+
 }
b930227f907a

HTTPCLIENT-1255: AbstractVerifier incorrectly parses certificate CN containing wildcard

https://github.com/apache/httpcomponents-clientOleg KalnichevskiNov 6, 2012via ghsa
commit
3 files changed · +21 10
  • httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java+4 7 modified
    @@ -43,8 +43,6 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.StringTokenizer;
-import java.util.logging.Logger;
-import java.util.logging.Level;
 
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLSession;
@@ -204,9 +202,10 @@ public final void verify(final String host, final String[] cns,
                                  !isIPAddress(host);
 
             if(doWildcard) {
-                if (parts[0].length() > 1) { // e.g. server*
-                    String prefix = parts[0].substring(0, parts.length-2); // e.g. server
-                    String suffix = cn.substring(parts[0].length()); // skip wildcard part from cn
+                String firstpart = parts[0];
+                if (firstpart.length() > 1) { // e.g. server*
+                    String prefix = firstpart.substring(0, firstpart.length() - 1); // e.g. server
+                    String suffix = cn.substring(firstpart.length()); // skip wildcard part from cn
                     String hostSuffix = hostName.substring(prefix.length()); // skip wildcard part from host
                     match = hostName.startsWith(prefix) && hostSuffix.endsWith(suffix);
                 } else {
@@ -302,8 +301,6 @@ private static String[] getSubjectAlts(
             c = cert.getSubjectAlternativeNames();
         }
         catch(CertificateParsingException cpe) {
-            Logger.getLogger(AbstractVerifier.class.getName())
-                    .log(Level.FINE, "Error parsing certificate.", cpe);
         }
         if(c != null) {
             for (List<?> aC : c) {
  • httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java+12 1 modified
    @@ -300,7 +300,7 @@ public void testMatching() {
     }
 
     @Test
-    public void HTTPCLIENT_1097() {
+    public void testHTTPCLIENT_1097() {
         String cns[];
         String alt[] = {};
         X509HostnameVerifier bhv = new BrowserCompatHostnameVerifier();
@@ -318,6 +318,17 @@ public void HTTPCLIENT_1097() {
         checkWildcard("s*.gouv.uk", false); // 2 character TLD, invalid 2TLD
     }
 
+    @Test
+    public void testHTTPCLIENT_1255() {
+        X509HostnameVerifier bhv = new BrowserCompatHostnameVerifier();
+        X509HostnameVerifier shv = new StrictHostnameVerifier();
+
+        String cns[] = new String []{"m*.a.b.c.com"}; // component part
+        String alt[] = {};
+        checkMatching(bhv, "mail.a.b.c.com", cns, alt, false); // OK
+        checkMatching(shv, "mail.a.b.c.com", cns, alt, false); // OK
+    }
+
     // Helper
     private void checkWildcard(String host, boolean isOK) {
         Assert.assertTrue(host+" should be "+isOK, isOK==AbstractVerifier.acceptableCountryWildcard(host));
  • RELEASE_NOTES.txt+5 2 modified
    @@ -1,7 +1,10 @@
-Changes since 4.2.1 
+Changes in trunk
 -------------------
 
-* [HTTPCLIENT-1248]: Default and lax redirect strategies should not convert requests redirected 
+* [HTTPCLIENT-1255] AbstractVerifier incorrectly parses certificate CN containing wildcard
+  Contributed by Oleg Kalnichevski <olegk at apache.org>
+
+* [HTTPCLIENT-1248] Default and lax redirect strategies should not convert requests redirected
   with 307 status to GET method.  
   Contributed by Oleg Kalnichevski <olegk at apache.org>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

25

News mentions

0

No linked articles in our index yet.