Topic: Why does this work?

[hans]

So, I had a learning experience tonight. We had a customer of ours change their SSL cert and use an off brand CA. They registered an alternate domain too and it ended up breaking our SOAP calls (which use sub.domain.com and their cert was for www.edomain.com). They thought it might be because the CA wasn't common and so I ended up adding the root cert for the CA and it seemed to work.

This doesn't make sense to me as I'm accustomed to the challenging due to the domain mismatch. Can anyone explain how this is working without throwing some sort of error? This app is on Java 1.4.

[webwhy]

depends on the implementation being used in the SOAP stack.  e.g. in commons httpclient, you can use AllowAllHostnameVerifier for your HostnameVerifier implementation, which will not throw an exception on domain name mismatch.

it might be even exposed as a configurable property in the implementation your using...

[hans]

We're using an old version of Axis for the SOAP. I'm going to have to look into this further. I've got a few posts to figure out what's responsible for letting this though.

It doesn't make sense to me that the default for any lib would be to allow such a thing. And I've been looking through the code (the project is before my time) looking for anything specific to allow the behavior.

Oddly, Chrome doesn't challenge me when I try to hit the website with the wrong cert, every other browser does. That seems bad to me.

Thankfully, this isn't a super secure application or anything but I do want to get it figured.