RFR: JDK-8260925: HttpsURLConnection does not work with other JSSE provider.
Vyom Tewari
vtewari at openjdk.java.net
Tue Mar 2 14:42:41 UTC 2021
On Tue, 2 Mar 2021 12:43:27 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:
>> HttpsURLConnection, works with SunJSSE provider but does not work with other JSSE provider. In case of SunJSSE , HttpsURLConnection set the host name as follows
>>
>> s = (SSLSocket)serverSocket;
>> if (s instanceof SSLSocketImpl) {
>> ((SSLSocketImpl)s).setHost(host);
>> }
>>
>> But in case of other providers(BouncyCastleProvider ) host will not get set and "java.security.cert.CertificateException: No subject alternative name found matching IP address" exception will be thrown.
>
> src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java line 569:
>
>> 567: SSLParameters paramaters = s.getSSLParameters();
>> 568: paramaters.setEndpointIdentificationAlgorithm("HTTPS");
>> 569: paramaters.setServerNames(Collections.singletonList(new SNIHostName(host)));
>
> What if the SSL Layer has already an SNIHostName configured? Is there a risk that this will introduce regressions in such cases?
May be i am not sure, we may need this code change to review by security expert. I am setting "SNIHostName" only if "isDefaultHostnameVerifier" is true(If the HNV is the default from HttpsURLConnection) so there should not be problem.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2583
More information about the net-dev
mailing list