RHEL 9.0.0 Alpha bootstrap

The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/jakarta-commons-httpclient#fdacc772470ef0821cf10c83ddd654263e7967c5

.gitignore

@@ -0,0 +1 @@
+commons-httpclient-3.1-src.tar.gz

0000-disable-crypto-tests.patch

@@ -0,0 +1,37 @@
+From b8aa0e661cdd84786d6d922712493308fbbae9b0 Mon Sep 17 00:00:00 2001
+From: Fabio Valentini <decathorpe@gmail.com>
+Date: Sat, 18 Jul 2020 19:44:32 +0200
+Subject: [PATCH 0/6] disable crypto tests
+
+---
+ src/test/org/apache/commons/httpclient/TestAll.java              | 1 -
+ src/test/org/apache/commons/httpclient/params/TestParamsAll.java | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/src/test/org/apache/commons/httpclient/TestAll.java b/src/test/org/apache/commons/httpclient/TestAll.java
+index a188a99..053b148 100644
+--- a/src/test/org/apache/commons/httpclient/TestAll.java
++++ b/src/test/org/apache/commons/httpclient/TestAll.java
+@@ -101,7 +101,6 @@ public class TestAll extends TestCase {
+         // Non compliant behaviour
+         suite.addTest(TestNoncompliant.suite());
+         // Proxy
+-        suite.addTest(TestProxy.suite());
+         suite.addTest(TestProxyWithRedirect.suite());
+         return suite;
+     }
+diff --git a/src/test/org/apache/commons/httpclient/params/TestParamsAll.java b/src/test/org/apache/commons/httpclient/params/TestParamsAll.java
+index 2f1db55..8beaf72 100644
+--- a/src/test/org/apache/commons/httpclient/params/TestParamsAll.java
++++ b/src/test/org/apache/commons/httpclient/params/TestParamsAll.java
+@@ -44,7 +44,6 @@ public class TestParamsAll extends TestCase {
+     public static Test suite() {
+         TestSuite suite = new TestSuite();
+         suite.addTest(TestHttpParams.suite());
+-        suite.addTest(TestSSLTunnelParams.suite());
+         return suite;
+     }
+ 
+-- 
+2.26.2
+

0001-add-osgi-manifest.patch

@@ -0,0 +1,45 @@
+From 5420ed119149c39b2de54bc7808afbda0aec65cd Mon Sep 17 00:00:00 2001
+From: Fabio Valentini <decathorpe@gmail.com>
+Date: Sat, 18 Jul 2020 19:46:40 +0200
+Subject: [PATCH 1/6] add osgi manifest
+
+---
+ src/conf/MANIFEST.MF | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/src/conf/MANIFEST.MF b/src/conf/MANIFEST.MF
+index 67cf62c..6ae735f 100644
+--- a/src/conf/MANIFEST.MF
++++ b/src/conf/MANIFEST.MF
+@@ -3,4 +3,27 @@ Specification-Vendor: Apache Software Foundation
+ Specification-Version: 1.0
+ Implementation-Vendor: Apache Software Foundation
+ Implementation-Version: @version@
+-
++Bundle-ManifestVersion: 2
++Bundle-Name: %bundleName
++Bundle-SymbolicName: org.apache.commons.httpclient
++Bundle-Version: 3.1.0.v20080605-1935
++Import-Package: javax.crypto;resolution:=optional,
++ javax.crypto.spec;resolution:=optional,
++ javax.net;resolution:=optional,
++ javax.net.ssl;resolution:=optional,
++ org.apache.commons.codec;version="[1.2.0,2.0.0)",
++ org.apache.commons.codec.binary;version="[1.2.0,2.0.0)",
++ org.apache.commons.codec.net;version="[1.2.0,2.0.0)",
++ org.apache.commons.logging;version="[1.0.4,2.0.0)"
++Export-Package: org.apache.commons.httpclient;version="3.1.0",
++ org.apache.commons.httpclient.auth;version="3.1.0",
++ org.apache.commons.httpclient.cookie;version="3.1.0",
++ org.apache.commons.httpclient.methods;version="3.1.0",
++ org.apache.commons.httpclient.methods.multipart;version="3.1.0",
++ org.apache.commons.httpclient.params;version="3.1.0",
++ org.apache.commons.httpclient.protocol;version="3.1.0",
++ org.apache.commons.httpclient.util;version="3.1.0"
++Bundle-Vendor: %bundleProvider
++Bundle-Localization: plugin
++Bundle-RequiredExecutionEnvironment: CDC-1.0/Foundation-1.0,
++ J2SE-1.2
+-- 
+2.26.2
+

0002-encoding.patch

@@ -0,0 +1,48 @@
+From 00274a68493341c991fa1dfe13b67d4ff7c4e432 Mon Sep 17 00:00:00 2001
+From: Fabio Valentini <decathorpe@gmail.com>
+Date: Sat, 18 Jul 2020 19:47:03 +0200
+Subject: [PATCH 2/6] encoding
+
+---
+ build.xml | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/build.xml b/build.xml
+index 7c339bd..b65b5c8 100644
+--- a/build.xml
++++ b/build.xml
+@@ -179,6 +179,7 @@
+           description="Compile shareable components">
+     <javac srcdir      ="${source.home}/java"
+            destdir     ="${build.home}/classes"
++           encoding    ="ISO-8859-1"
+            debug       ="${compile.debug}"
+            deprecation ="${compile.deprecation}"
+            optimize    ="${compile.optimize}">
+@@ -186,6 +187,7 @@
+     </javac>
+     <javac srcdir      ="${source.home}/examples"
+            destdir     ="${build.home}/examples"
++           encoding    ="ISO-8859-1"
+            debug       ="${compile.debug}"
+            deprecation ="${compile.deprecation}"
+            optimize    ="${compile.optimize}">
+@@ -197,6 +199,7 @@
+           description="Compile unit test cases">
+     <javac srcdir      ="${test.home}"
+            destdir     ="${build.home}/tests"
++           encoding    ="ISO-8859-1"
+            debug       ="${compile.debug}"
+            deprecation ="${compile.deprecation}"
+            optimize    ="${compile.optimize}">
+@@ -241,6 +244,7 @@
+     <mkdir dir="${dist.home}/docs/api"/>
+     <javadoc sourcepath   ="${source.home}/java"
+              destdir      ="${dist.home}/docs/api"
++             encoding     ="ISO-8859-1"
+              packagenames ="org.apache.commons.*"
+              author       ="true"
+              protected    ="true"
+-- 
+2.26.2
+

0003-CVE-2012-5783.patch

@@ -0,0 +1,382 @@
+From c9ac025455d10c62ec4fda942318ac28cfdd4c91 Mon Sep 17 00:00:00 2001
+From: Fabio Valentini <decathorpe@gmail.com>
+Date: Sat, 18 Jul 2020 19:47:47 +0200
+Subject: [PATCH 3/6] CVE-2012-5783
+
+---
+ .../protocol/SSLProtocolSocketFactory.java    | 301 +++++++++++++++++-
+ 1 file changed, 293 insertions(+), 8 deletions(-)
+
+diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index f176fed..fa0acc7 100644
+--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -31,10 +31,25 @@
+ package org.apache.commons.httpclient.protocol;
+ 
+ import java.io.IOException;
++import java.io.InputStream;
+ import java.net.InetAddress;
+ import java.net.Socket;
+ import java.net.UnknownHostException;
++import java.security.cert.Certificate;
++import java.security.cert.CertificateParsingException;
++import java.security.cert.X509Certificate;
++import java.util.Arrays;
++import java.util.Collection;
++import java.util.Iterator;
++import java.util.LinkedList;
++import java.util.List;
++import java.util.Locale;
++import java.util.StringTokenizer;
++import java.util.regex.Pattern;
+ 
++import javax.net.ssl.SSLException;
++import javax.net.ssl.SSLSession;
++import javax.net.ssl.SSLSocket;
+ import javax.net.ssl.SSLSocketFactory;
+ 
+ import org.apache.commons.httpclient.ConnectTimeoutException;
+@@ -55,6 +70,11 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+      */
+     private static final SSLProtocolSocketFactory factory = new SSLProtocolSocketFactory();
+     
++    // This is a a sorted list, if you insert new elements do it orderdered.
++    private final static String[] BAD_COUNTRY_2LDS =
++        {"ac", "co", "com", "ed", "edu", "go", "gouv", "gov", "info",
++            "lg", "ne", "net", "or", "org"};
++    
+     /**
+      * Gets an singleton instance of the SSLProtocolSocketFactory.
+      * @return a SSLProtocolSocketFactory
+@@ -79,12 +99,14 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+         InetAddress clientHost,
+         int clientPort)
+         throws IOException, UnknownHostException {
+-        return SSLSocketFactory.getDefault().createSocket(
++        Socket sslSocket =  SSLSocketFactory.getDefault().createSocket(
+             host,
+             port,
+             clientHost,
+             clientPort
+         );
++        verifyHostName(host, (SSLSocket) sslSocket);
++        return sslSocket;
+     }
+ 
+     /**
+@@ -124,16 +146,19 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+         }
+         int timeout = params.getConnectionTimeout();
+         if (timeout == 0) {
+-            return createSocket(host, port, localAddress, localPort);
++            Socket sslSocket =  createSocket(host, port, localAddress, localPort);
++            verifyHostName(host, (SSLSocket) sslSocket);
++            return sslSocket;
+         } else {
+             // To be eventually deprecated when migrated to Java 1.4 or above
+-            Socket socket = ReflectionSocketFactory.createSocket(
++            Socket sslSocket = ReflectionSocketFactory.createSocket(
+                 "javax.net.ssl.SSLSocketFactory", host, port, localAddress, localPort, timeout);
+-            if (socket == null) {
+-                socket = ControllerThreadSocketFactory.createSocket(
++            if (sslSocket == null) {
++            	sslSocket = ControllerThreadSocketFactory.createSocket(
+                     this, host, port, localAddress, localPort, timeout);
+             }
+-            return socket;
++            verifyHostName(host, (SSLSocket) sslSocket);
++            return sslSocket;
+         }
+     }
+ 
+@@ -142,10 +167,12 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+      */
+     public Socket createSocket(String host, int port)
+         throws IOException, UnknownHostException {
+-        return SSLSocketFactory.getDefault().createSocket(
++        Socket sslSocket = SSLSocketFactory.getDefault().createSocket(
+             host,
+             port
+         );
++        verifyHostName(host, (SSLSocket) sslSocket);
++        return sslSocket;
+     }
+ 
+     /**
+@@ -157,13 +184,271 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+         int port,
+         boolean autoClose)
+         throws IOException, UnknownHostException {
+-        return ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket(
++        Socket sslSocket = ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket(
+             socket,
+             host,
+             port,
+             autoClose
+         );
++        verifyHostName(host, (SSLSocket) sslSocket);
++        return sslSocket;
+     }
++    
++
++    
++    
++    /**
++     * Verifies that the given hostname in certicifate is the hostname we are trying to connect to
++     * http://www.cvedetails.com/cve/CVE-2012-5783/
++     * @param host
++     * @param ssl
++     * @throws IOException
++     */
++    
++	private static void verifyHostName(String host, SSLSocket ssl)
++			throws IOException {
++		if (host == null) {
++			throw new IllegalArgumentException("host to verify was null");
++		}
++
++		SSLSession session = ssl.getSession();
++		if (session == null) {
++            // In our experience this only happens under IBM 1.4.x when
++            // spurious (unrelated) certificates show up in the server's chain.
++            // Hopefully this will unearth the real problem:
++			InputStream in = ssl.getInputStream();
++			in.available();
++            /*
++                 If you're looking at the 2 lines of code above because you're
++                 running into a problem, you probably have two options:
++
++                    #1.  Clean up the certificate chain that your server
++                         is presenting (e.g. edit "/etc/apache2/server.crt" or
++                         wherever it is your server's certificate chain is
++                         defined).
++
++                                             OR
++
++                    #2.   Upgrade to an IBM 1.5.x or greater JVM, or switch to a
++                          non-IBM JVM.
++              */
++
++            // If ssl.getInputStream().available() didn't cause an exception,
++            // maybe at least now the session is available?
++			session = ssl.getSession();
++			if (session == null) {
++                // If it's still null, probably a startHandshake() will
++                // unearth the real problem.
++				ssl.startHandshake();
++
++                // Okay, if we still haven't managed to cause an exception,
++                // might as well go for the NPE.  Or maybe we're okay now?
++				session = ssl.getSession();
++			}
++		}
++
++		Certificate[] certs = session.getPeerCertificates();
++		verifyHostName(host.trim().toLowerCase(Locale.US),  (X509Certificate) certs[0]);
++	}
++	/**
++	 * Extract the names from the certificate and tests host matches one of them
++	 * @param host
++	 * @param cert
++	 * @throws SSLException
++	 */
++
++	private static void verifyHostName(final String host, X509Certificate cert)
++			throws SSLException {
++        // I'm okay with being case-insensitive when comparing the host we used
++        // to establish the socket to the hostname in the certificate.
++        // Don't trim the CN, though.
++        
++		String cn = getCN(cert);
++		String[] subjectAlts = getDNSSubjectAlts(cert);
++		verifyHostName(host, cn.toLowerCase(Locale.US), subjectAlts);
++
++	}
++
++	/**
++	 * Extract all alternative names from a certificate.
++	 * @param cert
++	 * @return
++	 */
++	private static String[] getDNSSubjectAlts(X509Certificate cert) {
++		LinkedList subjectAltList = new LinkedList();
++		Collection c = null;
++		try {
++			c = cert.getSubjectAlternativeNames();
++		} catch (CertificateParsingException cpe) {
++			// Should probably log.debug() this?
++			cpe.printStackTrace();
++		}
++		if (c != null) {
++			Iterator it = c.iterator();
++			while (it.hasNext()) {
++				List list = (List) it.next();
++				int type = ((Integer) list.get(0)).intValue();
++				// If type is 2, then we've got a dNSName
++				if (type == 2) {
++					String s = (String) list.get(1);
++					subjectAltList.add(s);
++				}
++			}
++		}
++		if (!subjectAltList.isEmpty()) {
++			String[] subjectAlts = new String[subjectAltList.size()];
++			subjectAltList.toArray(subjectAlts);
++			return subjectAlts;
++		} else {
++			return new String[0];
++		}
++	        
++	}
++	/**
++	 * Verifies
++	 * @param host
++	 * @param cn
++	 * @param subjectAlts
++	 * @throws SSLException
++	 */
++
++	private static void verifyHostName(final String host, String cn, String[] subjectAlts)throws SSLException{
++		StringBuffer cnTested = new StringBuffer();
++
++		for (int i = 0; i < subjectAlts.length; i++){
++			String name = subjectAlts[i];
++			if (name != null) {
++				name = name.toLowerCase();
++				if (verifyHostName(host, name)){
++					return;
++				}
++				cnTested.append("/").append(name);
++			}				
++		}
++		if (cn != null && verifyHostName(host, cn)){
++			return;
++		}
++		cnTested.append("/").append(cn);
++		throw new SSLException("hostname in certificate didn't match: <"
++					+ host + "> != <" + cnTested + ">");
++		
++	}		
++	
++	private static boolean verifyHostName(final String host, final String cn){
++		if (doWildCard(cn) && !isIPAddress(host)) {
++			return matchesWildCard(cn, host);
++		} 
++		return host.equalsIgnoreCase(cn);		
++	}
++    private static boolean doWildCard(String cn) {
++		// Contains a wildcard
++		// wildcard in the first block
++    	// not an ipaddress (ip addres must explicitily be equal)
++    	// not using 2nd level common tld : ex: not for *.co.uk
++    	String parts[] = cn.split("\\.");
++    	return parts.length >= 3 &&
++    			parts[0].endsWith("*") &&
++    			acceptableCountryWildcard(cn) &&
++    			!isIPAddress(cn);
++    }
++    
++    
++	private static final Pattern IPV4_PATTERN = 
++			Pattern.compile("^(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}$");
++
++	private static final Pattern IPV6_STD_PATTERN = 
++			Pattern.compile("^(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$");
++
++	private static final Pattern IPV6_HEX_COMPRESSED_PATTERN = 
++			Pattern.compile("^((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)$");
++
++
++	private static boolean isIPAddress(final String hostname) {
++		return hostname != null
++				&& (
++						IPV4_PATTERN.matcher(hostname).matches()
++						|| IPV6_STD_PATTERN.matcher(hostname).matches() 
++						|| IPV6_HEX_COMPRESSED_PATTERN.matcher(hostname).matches()
++		);
++
++	}
++
++	private static boolean acceptableCountryWildcard(final String cn) {
++		// The CN better have at least two dots if it wants wildcard action,
++		// but can't be [*.co.uk] or [*.co.jp] or [*.org.uk], etc...
++		// The [*.co.uk] problem is an interesting one. Should we just
++		// hope that CA's would never foolishly allow such a
++		// certificate to happen?
++    	
++		String[] parts = cn.split("\\.");
++		// Only checks for 3 levels, with country code of 2 letters.
++		if (parts.length > 3 || parts[parts.length - 1].length() != 2) {
++			return true;
++		}
++		String countryCode = parts[parts.length - 2];
++		return Arrays.binarySearch(BAD_COUNTRY_2LDS, countryCode) < 0;
++	}
++
++	private static boolean matchesWildCard(final String cn,
++			final String hostName) {
++		String parts[] = cn.split("\\.");
++		boolean match = false;
++		String firstpart = parts[0];
++		if (firstpart.length() > 1) {
++			// server∗
++			// e.g. server
++			String prefix =  firstpart.substring(0, firstpart.length() - 1);
++			// skipwildcard part from cn
++			String suffix = cn.substring(firstpart.length()); 
++			// skip wildcard part from host
++			String hostSuffix = hostName.substring(prefix.length());			
++			match = hostName.startsWith(prefix) && hostSuffix.endsWith(suffix);
++		} else {
++			match = hostName.endsWith(cn.substring(1));
++		}
++		if (match) {
++			// I f we're in strict mode ,
++			// [ ∗.foo.com] is not allowed to match [a.b.foo.com]
++			match = countDots(hostName) == countDots(cn);
++		}
++		return match;
++	}
++
++	private static int countDots(final String data) {
++		int dots = 0;
++		for (int i = 0; i < data.length(); i++) {
++			if (data.charAt(i) == '.') {
++				dots += 1;
++			}
++		}
++		return dots;
++	}
++
++	private static String getCN(X509Certificate cert) {
++        // Note:  toString() seems to do a better job than getName()
++        //
++        // For example, getName() gives me this:
++        // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
++        //
++        // whereas toString() gives me this:
++        // EMAILADDRESS=juliusdavies@cucbc.com        
++		String subjectPrincipal = cert.getSubjectX500Principal().toString();
++		
++		return getCN(subjectPrincipal);
++
++	}
++	private static String getCN(String subjectPrincipal) {
++		StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
++		while(st.hasMoreTokens()) {
++			String tok = st.nextToken().trim();
++			if (tok.length() > 3) {
++				if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
++					return tok.substring(3);
++				}
++			}
++		}
++		return null;
++	}
+ 
+     /**
+      * All instances of SSLProtocolSocketFactory are the same.
+-- 
+2.26.2
+

0004-CVE-2014-3577.patch

@@ -0,0 +1,92 @@
+From 1bef0d6f6e8f2f68e996737d7be598613e2060b2 Mon Sep 17 00:00:00 2001
+From: Fabio Valentini <decathorpe@gmail.com>
+Date: Sat, 18 Jul 2020 19:48:08 +0200
+Subject: [PATCH 4/6] CVE-2014-3577
+
+---
+ .../protocol/SSLProtocolSocketFactory.java    | 57 ++++++++++++-------
+ 1 file changed, 37 insertions(+), 20 deletions(-)
+
+diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index fa0acc7..e6ce513 100644
+--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -44,9 +44,15 @@ import java.util.Iterator;
+ import java.util.LinkedList;
+ import java.util.List;
+ import java.util.Locale;
+-import java.util.StringTokenizer;
++import java.util.NoSuchElementException;
+ import java.util.regex.Pattern;
+ 
++import javax.naming.InvalidNameException;
++import javax.naming.NamingException;
++import javax.naming.directory.Attribute;
++import javax.naming.directory.Attributes;
++import javax.naming.ldap.LdapName;
++import javax.naming.ldap.Rdn;
+ import javax.net.ssl.SSLException;
+ import javax.net.ssl.SSLSession;
+ import javax.net.ssl.SSLSocket;
+@@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+ 		return dots;
+ 	}
+ 
+-	private static String getCN(X509Certificate cert) {
+-        // Note:  toString() seems to do a better job than getName()
+-        //
+-        // For example, getName() gives me this:
+-        // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
+-        //
+-        // whereas toString() gives me this:
+-        // EMAILADDRESS=juliusdavies@cucbc.com        
+-		String subjectPrincipal = cert.getSubjectX500Principal().toString();
+-		
+-		return getCN(subjectPrincipal);
+-
++	private static String getCN(final X509Certificate cert) {
++		final String subjectPrincipal = cert.getSubjectX500Principal().toString();
++		try {
++			return extractCN(subjectPrincipal);
++		} catch (SSLException ex) {
++			return null;
++		}
+ 	}
+-	private static String getCN(String subjectPrincipal) {
+-		StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
+-		while(st.hasMoreTokens()) {
+-			String tok = st.nextToken().trim();
+-			if (tok.length() > 3) {
+-				if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
+-					return tok.substring(3);
++
++	private static String extractCN(final String subjectPrincipal) throws SSLException {
++		if (subjectPrincipal == null) {
++			return null;
++		}
++		try {
++			final LdapName subjectDN = new LdapName(subjectPrincipal);
++			final List<Rdn> rdns = subjectDN.getRdns();
++			for (int i = rdns.size() - 1; i >= 0; i--) {
++				final Rdn rds = rdns.get(i);
++				final Attributes attributes = rds.toAttributes();
++				final Attribute cn = attributes.get("cn");
++				if (cn != null) {
++					try {
++						final Object value = cn.get();
++						if (value != null) {
++							return value.toString();
++						}
++					} catch (NoSuchElementException ignore) {
++					} catch (NamingException ignore) {
++					}
+ 				}
+ 			}
++		} catch (InvalidNameException e) {
++			throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name");
+ 		}
+ 		return null;
+ 	}
+-- 
+2.26.2
+

0005-CVE-2015-5262.patch

@@ -0,0 +1,35 @@
+From a42239d4dbf88dc577061203c234a91d847a8615 Mon Sep 17 00:00:00 2001
+From: Fabio Valentini <decathorpe@gmail.com>
+Date: Sat, 18 Jul 2020 19:48:18 +0200
+Subject: [PATCH 5/6] CVE-2015-5262
+
+---
+ .../httpclient/protocol/SSLProtocolSocketFactory.java        | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index e6ce513..b7550a2 100644
+--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+         }
+         int timeout = params.getConnectionTimeout();
+         if (timeout == 0) {
+-            Socket sslSocket =  createSocket(host, port, localAddress, localPort);
++            Socket sslSocket = SSLSocketFactory.getDefault().createSocket(
++                host, port, localAddress, localPort);
++            sslSocket.setSoTimeout(params.getSoTimeout());
+             verifyHostName(host, (SSLSocket) sslSocket);
+             return sslSocket;
+         } else {
+@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+             	sslSocket = ControllerThreadSocketFactory.createSocket(
+                     this, host, port, localAddress, localPort, timeout);
+             }
++            sslSocket.setSoTimeout(params.getSoTimeout());
+             verifyHostName(host, (SSLSocket) sslSocket);
+             return sslSocket;
+         }
+-- 
+2.26.2
+

0006-java-1.8.patch

@@ -0,0 +1,43 @@
+From 0f7039eb291fef51ae23fda4edd0c6c50d48bcde Mon Sep 17 00:00:00 2001
+From: Fabio Valentini <decathorpe@gmail.com>
+Date: Sat, 18 Jul 2020 19:49:24 +0200
+Subject: [PATCH 6/6] java 1.8
+
+---
+ build.xml | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/build.xml b/build.xml
+index b65b5c8..9d45e48 100644
+--- a/build.xml
++++ b/build.xml
+@@ -179,6 +179,8 @@
+           description="Compile shareable components">
+     <javac srcdir      ="${source.home}/java"
+            destdir     ="${build.home}/classes"
++           source      ="1.8"
++           target      ="1.8"
+            encoding    ="ISO-8859-1"
+            debug       ="${compile.debug}"
+            deprecation ="${compile.deprecation}"
+@@ -187,6 +189,8 @@
+     </javac>
+     <javac srcdir      ="${source.home}/examples"
+            destdir     ="${build.home}/examples"
++           source      ="1.8"
++           target      ="1.8"
+            encoding    ="ISO-8859-1"
+            debug       ="${compile.debug}"
+            deprecation ="${compile.deprecation}"
+@@ -199,6 +203,8 @@
+           description="Compile unit test cases">
+     <javac srcdir      ="${test.home}"
+            destdir     ="${build.home}/tests"
++           source      ="1.8"
++           target      ="1.8"
+            encoding    ="ISO-8859-1"
+            debug       ="${compile.debug}"
+            deprecation ="${compile.deprecation}"
+-- 
+2.26.2
+

jakarta-commons-httpclient.spec

@@ -0,0 +1,394 @@
+%global short_name httpclient
+
+Name:           jakarta-commons-httpclient
+Version:        3.1
+Release:        36%{?dist}
+Summary: Jakarta Commons HTTPClient implements the client side of HTTP standards
+License:        ASL 2.0 and (ASL 2.0 or LGPLv2+)
+URL:            http://jakarta.apache.org/commons/httpclient/
+Epoch:          1
+Source0:        http://archive.apache.org/dist/httpcomponents/commons-httpclient/source/commons-httpclient-3.1-src.tar.gz
+Source1:        http://repo.maven.apache.org/maven2/commons-httpclient/commons-httpclient/%{version}/commons-httpclient-%{version}.pom
+Patch0:         0000-disable-crypto-tests.patch
+# Add OSGi MANIFEST.MF bits
+Patch1:         0001-add-osgi-manifest.patch
+Patch2:         0002-encoding.patch
+# CVE-2012-5783: missing connection hostname check against X.509 certificate name
+# https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1422573
+Patch3:         0003-CVE-2012-5783.patch
+Patch4:         0004-CVE-2014-3577.patch
+Patch5:         0005-CVE-2015-5262.patch
+Patch6:         0006-java-1.8.patch
+
+BuildArch:      noarch
+
+# FIXME: we need BR maven-local, because we're using macros like mvn_install
+# this should be changed to "javapackages-local" when javapackages-tools 4.0.0 is out
+BuildRequires:  maven-local
+BuildRequires:  ant
+BuildRequires:  apache-commons-codec
+BuildRequires:  apache-commons-logging >= 0:1.0.3
+BuildRequires:  apache-commons-logging-javadoc
+BuildRequires:  java-javadoc
+BuildRequires:  junit
+
+Requires:       java-headless
+Requires:       apache-commons-logging >= 0:1.0.3
+Requires:       apache-commons-codec
+Provides:       deprecated()
+
+%description
+The Hyper-Text Transfer Protocol (HTTP) is perhaps the most significant
+protocol used on the Internet today. Web services, network-enabled
+appliances and the growth of network computing continue to expand the
+role of the HTTP protocol beyond user-driven web browsers, and increase
+the number of applications that may require HTTP support.
+Although the java.net package provides basic support for accessing
+resources via HTTP, it doesn't provide the full flexibility or
+functionality needed by many applications. The Jakarta Commons HTTP
+Client component seeks to fill this void by providing an efficient,
+up-to-date, and feature-rich package implementing the client side of the
+most recent HTTP standards and recommendations.
+Designed for extension while providing robust support for the base HTTP
+protocol, the HTTP Client component may be of interest to anyone
+building HTTP-aware client applications such as web browsers, web
+service clients, or systems that leverage or extend the HTTP protocol
+for distributed communication.
+
+%package        javadoc
+Summary:        Javadoc for %{name}
+Provides:       deprecated()
+
+%description    javadoc
+%{summary}.
+
+%package        demo
+Summary:        Demos for %{name}
+Requires:       %{name} = %{epoch}:%{version}-%{release}
+Provides:       deprecated()
+
+%description    demo
+%{summary}.
+
+%package        manual
+Summary:        Manual for %{name}
+Requires:       %{name}-javadoc = %{epoch}:%{version}-%{release}
+Provides:       deprecated()
+
+%description    manual
+%{summary}.
+
+
+%prep
+%setup -q -n commons-httpclient-%{version}
+mkdir lib # duh
+build-jar-repository -p lib commons-codec commons-logging junit
+rm -rf docs/apidocs docs/*.patch docs/*.orig docs/*.rej
+
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+
+# Use javax classes, not com.sun ones
+# assume no filename contains spaces
+pushd src
+    for j in $(find . -name "*.java" -exec grep -l 'com\.sun\.net\.ssl' {} \;); do
+        sed -e 's|com\.sun\.net\.ssl|javax.net.ssl|' $j > tempf
+        cp tempf $j
+    done
+    rm tempf
+popd
+
+%mvn_alias : apache:commons-httpclient
+%mvn_file ":{*}" jakarta-@1 "@1" commons-%{short_name}3
+
+%build
+ant \
+  -Dbuild.sysclasspath=first \
+  -Djavadoc.j2sdk.link=%{_javadocdir}/java \
+  -Djavadoc.logging.link=%{_javadocdir}/jakarta-commons-logging \
+  -Dtest.failonerror=false \
+  -Djavac.encoding=UTF-8 \
+  dist test
+
+%install
+%mvn_artifact %{SOURCE1} dist/commons-httpclient.jar
+%mvn_install -J dist/docs/api
+
+# demo
+mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{name}
+cp -pr src/examples src/contrib $RPM_BUILD_ROOT%{_datadir}/%{name}
+
+# manual and docs
+rm -Rf dist/docs/{api,BUILDING.txt,TESTING.txt}
+ln -s %{_javadocdir}/%{name} dist/docs/apidocs
+
+
+%files -f .mfiles
+%doc LICENSE NOTICE
+%doc README RELEASE_NOTES
+
+%files javadoc -f .mfiles-javadoc
+%doc LICENSE NOTICE
+
+%files demo
+%{_datadir}/%{name}
+
+%files manual
+%doc dist/docs/*
+
+
+%changelog
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.1-36
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Sat Jul 18 2020 Fabio Valentini <decathorpe@gmail.com> - 1:3.1-35
+- Override javac source / target version with 1.8 to fix Java 11 issues.
+- Simplified patch structure.
+
+* Fri Jul 10 2020 Jiri Vanek <jvanek@redhat.com> - 1:3.1-34
+- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.1-33
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.1-32
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.1-31
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 21 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 1:3.1-30
+- Mark package as deprecated
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.1-29
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.1-28
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.1-27
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu Feb 23 2017 Mikolaj Izdebski <mizdebsk@redhat.com> - 1:3.1-26
+- Use build-jar-repository for locating dependencies
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.1-25
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.1-24
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Sep 11 2015 Mikolaj Izdebski <mizdebsk@redhat.com> - 1:3.1-23
+- Respect configured SO_TIMEOUT during SSL handshake
+- Resolves: CVE-2015-5262
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:3.1-22
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue Oct 14 2014 Mikolaj Izdebski <mizdebsk@redhat.com> - 1:3.1-21
+- Remove legacy Obsoletes/Provides
+
+* Mon Aug 18 2014 Michal Srb <msrb@redhat.com> - 1:3.1-20
+- Fix MITM security vulnerability
+- Resolves: CVE-2014-3577
+
+* Mon Aug 11 2014 Mikolaj Izdebski <mizdebsk@redhat.com> - 1:3.1-19
+- Add alias for apache:commons-httpclient
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:3.1-18
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Wed May 21 2014 Michal Srb <msrb@redhat.com> - 1:3.1-17
+- Adapt to current guidelines
+
+* Wed May 21 2014 Michal Srb <msrb@redhat.com> - 1:3.1-16
+- Migrate to mfiles
+
+* Tue Mar 04 2014 Stanislav Ochotnicky <sochotnicky@redhat.com> - 1:3.1-15
+- Use Requires: java-headless rebuild (#1067528)
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:3.1-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:3.1-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Mon Jan 21 2013 Mikolaj Izdebski <mizdebsk@redhat.com> - 1:3.1-12
+- Add missing connection hostname check against X.509 certificate name
+- Resolves: CVE-2012-5783
+
+* Thu Nov  1 2012 Mikolaj Izdebski <mizdebsk@redhat.com> - 1:3.1-11
+- Add maven POM
+
+* Thu Sep 20 2012 Mikolaj Izdebski <mizdebsk@redhat.com> - 1:3.1-10
+- Fix license tag
+
+* Thu Sep 20 2012 Mikolaj Izdebski <mizdebsk@redhat.com> - 1:3.1-9
+- Install LICENSE and NOTICE files
+- Add missing R: java, jpackage-utils
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:3.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sun Jan 22 2012 Andy Grimm <agrimm@gmail.com> - 1:3.1-7
+- Fix character encoding
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:3.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue Jun 28 2011 Stanislav Ochotnicky <sochotnicky@redhat.com> - 1:3.1-5
+- Fix symlinks in javadir
+
+* Tue Jun 28 2011 Alexander Kurtakov <akurtako@redhat.com> 1:3.1-4
+- Fix FTBFS.
+- Adapt to current guidelines.
+
+* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:3.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Nov 10 2010 Alexander Kurtakov <akurtako@redhat.com> 1:3.1-2
+- Add missing requires on commons-codec.
+
+* Fri Jul 16 2010 Alexander Kurtakov <akurtako@redhat.com> 1:3.1-1
+- Drop gcj_support.
+- Fix FTBFS.
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:3.1-0.5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:3.1-0.4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Thu Jul 24 2008 Andrew Overholt <overholt@redhat.com> 1:3.1-0.3
+- Update OSGi MANIFEST.MF
+
+* Wed Jul  9 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 1:3.1-0.2
+- drop repotag
+- fix license tag
+
+* Fri Apr 04 2008 Deepak Bhole <dbhole@redhat.com> - 0:3.1-0jpp.1
+- Update to 3.1
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1:3.0.1-2jpp.2
+- Autorebuild for GCC 4.3
+
+* Thu Sep 06 2007 Andrew Overholt <overholt@redhat.com> 1:3.0.1-1jpp.2
+- Add OSGi MANIFEST.MF information.
+
+* Fri Mar 16 2007 Permaine Cheung <pcheung@redhat.com> - 1:3.0.1-1jpp.1
+- Merge with upstream and more rpmlint cleanup.
+
+* Thu Feb 15 2007 Fernando Nasser <fnasser@redhat.com> - 1:3.0.1-1jpp
+- Upgrade to 3.0.1
+
+* Fri Jan 26 2007 Permaine Cheung <pcheung@redhat.com> - 1:3.0-8jpp
+- Added versions for provides and obsoletes and rpmlint cleanup.
+
+* Thu Aug 10 2006 Deepak Bhole <dbhole@redhat.com> - 1:3.0-7jpp.1
+- Added missing requirements.
+- Added missing postun section for javadoc.
+
+* Sat Jul 22 2006 Jakub Jelinek <jakub@redhat.com> - 1:3.0-6jpp_2fc
+- Rebuilt
+
+* Thu Jul 20 2006 Deepak Bhole <dbhole@redhat.com> - 1:3.0-6jpp_1fc
+- Added conditional native compilation.
+- Disable certain ssl related tests that are known to fail with libgcj.
+
+* Thu Apr 06 2006 Fernando Nasser <fnasser@redhat.com> - 1:3.0-5jpp
+- Improve backwards compatibility and force removal of older versioned
+  packages
+
+* Thu Apr 06 2006 Fernando Nasser <fnasser@redhat.com> - 1:3.0-4jpp
+- Remove duplicate release definition
+- Require simply a jaxp 1.3
+
+* Thu Apr 06 2006 Fernando Nasser <fnasser@redhat.com> - 1:3.0-3jpp
+- BR xml-commons-jaxp-1.3-apis
+
+* Thu Apr 06 2006 Ralph Apel <r.apel@r-apel.de> - 1:3.0-2jpp
+- Fix tarball typo
+- assure javax classes are used instead of com.sun. ones
+
+* Wed Apr 05 2006 Ralph Apel <r.apel@r-apel.de> - 1:3.0-1jpp
+- 3.0 final, drop main version in name
+
+* Thu Oct 20 2005 Jason Corley <jason.corley@gmail.com> - 1:3.0-0.rc4.1jpp
+- 3.0rc4
+
+* Thu May 05 2005 Fernando Nasser <fnasser@redhat.com> - 1:3.0-0.rc2.1jpp
+- Update to 3.0 rc2.
+
+* Thu Nov  4 2004 Ville Skyttä <ville.skytta at iki.fi> - 1:2.0.2-1jpp
+- Update to 2.0.2.
+- Fix Group tag in -manual.
+
+* Sun Aug 23 2004 Randy Watler <rwatler at finali.com> - 0:2.0-2jpp
+- Rebuild with ant-1.6.2
+
+* Mon Feb 16 2004 Kaj J. Niemi <kajtzu@fi.basen.net> - 0:2.0-1jpp
+- 2.0 final
+
+* Thu Jan 22 2004 David Walluck <david@anti-microsoft.org> 0:2.0-0.rc3.1jpp
+- 2.0-rc3
+- bump epoch
+
+* Tue Oct 14 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:2.0-3.rc2.1jpp
+- Update to 2.0rc2.
+- Manual subpackage.
+- Crosslink with local J2SE javadocs.
+- Own unversioned javadoc dir symlink.
+
+* Fri Aug 15 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:2.0-3.rc1.1jpp
+- Update to 2.0rc1.
+- Include "jakarta-"-less jar symlinks for consistency with other packages.
+- Exclude example and contrib sources from main package, they're in -demo.
+
+* Wed Jul  9 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:2.0-2.beta2.1jpp
+- Update to 2.0 beta 2.
+- Demo subpackage.
+- Crosslink with local commons-logging javadocs.
+
+* Wed Jun  4 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:2.0-2.beta1.1jpp
+- Update to 2.0 beta 1.
+- Non-versioned javadoc symlinking.
+
+* Fri Apr  4 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:2.0-1.alpha3.2jpp
+- Rebuild for JPackage 1.5.
+
+* Wed Feb 26 2003 Ville Skyttä <ville.skytta at iki.fi> - 2.0-1.alpha3.1jpp
+- Update to 2.0 alpha 3.
+- Fix Group tags.
+- Run standalone unit tests during build.
+
+* Thu Sep 12 2002 Ville Skyttä <ville.skytta at iki.fi> 2.0-0.cvs20020909.1jpp
+- Tune the rpm release number tag so rpm2html doesn't barf on it.
+
+* Mon Sep  9 2002 Ville Skyttä <ville.skytta at iki.fi> 2.0-0.20020909alpha1.1jpp
+- 2.0alpha1 snapshot 20020909.
+- Use sed instead of bash extensions when symlinking jars during build.
+- Add distribution tag.
+- Require commons-logging instead of log4j.
+
+* Sat Jan 19 2002 Guillaume Rousse <guillomovitch@users.sourceforge.net> 1.0-4jpp
+- renamed to jakarta-commons-httpclient
+- additional sources in individual archives
+- versioned dir for javadoc
+- no dependencies for javadoc package
+- dropped j2ee package
+- adapted to new jsse package
+- section macro
+
+* Fri Dec 7 2001 Guillaume Rousse <guillomovitch@users.sourceforge.net> 1.0-3jpp
+- javadoc into javadoc package
+
+* Sat Nov 3 2001 Guillaume Rousse <guillomovitch@users.sourceforge.net> 1.0-2jpp
+- fixed jsse subpackage
+
+* Fri Nov 2 2001 Guillaume Rousse <guillomovitch@users.sourceforge.net> 1.0-1jpp
+- first JPackage release

sources

@@ -0,0 +1,2 @@
+2c9b0f83ed5890af02c0df1c1776f39b  commons-httpclient-3.1-src.tar.gz
+628c4159aa23a5c797df694b7625984c  commons-httpclient-3.1.pom