[icedtea-web] RFC: PR769: IcedTea-Web plugin does not work with some ssl sites with OpenJDK7

[Deepak Bhole]

Hi,

Attached fix is for PR769:
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=769

The fix is not Java 7 specific ... Java 7 just exposed the bug.

ChangeLog:
2011-08-03  Deepak Bhole <dbhole at redhat.com>

    PR769: IcedTea-Web plugin does not work with some ssl sites with OpenJDK7
    * netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
    (checkServerTrusted): Account for a null hostname that the overloaded
    implementation may pass.

Okay for HEAD, 1.0 and 1.1?

Cheers,
Deepak
-------------- next part --------------
diff -r db6914cf15be NEWS
--- a/NEWS	Wed Aug 03 14:11:11 2011 -0400
+++ b/NEWS	Wed Aug 03 17:06:33 2011 -0400
@@ -13,6 +13,7 @@
   - PR749: sun.applet.PluginStreamHandler#handleMessage(String) really slow
 Common
   - PR768: Signed applets/Web Start apps don't work with OpenJDK7 and up
+  - PR769: IcedTea-Web plugin does not work with some ssl sites with OpenJDK7
 
 New in release 1.1.1 (2011-07-20):
 * Security updates:
diff -r db6914cf15be netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
--- a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java	Wed Aug 03 14:11:11 2011 -0400
+++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java	Wed Aug 03 17:06:33 2011 -0400
@@ -222,7 +222,7 @@
 
         // If the certificate is not explicitly trusted, we
         // need to prompt the user
-        if (!isExplicitlyTrusted(chain, authType)) {
+        if (!isExplicitlyTrusted(chain, authType) && hostName != null) {
 
             try {
                 HostnameChecker checker = HostnameChecker
@@ -235,6 +235,8 @@
                 CNMatched = false;
                 ce = e;
             }
+        } else if (!isExplicitlyTrusted(chain, authType)) {
+            CNMatched = false;
         }
 
         if (!trusted || !CNMatched) {