[security-dev 00624]: code review request: 4773451 Support IP address based virtual hosting in default KeyManager implementation
Xuelei Fan
Xuelei.Fan at Sun.COM
Fri Feb 27 02:52:39 UTC 2009
I need to get a code review for:
4773451 Support IP address based virtual hosting in default
KeyManager implementation
http://cr.openjdk.java.net/~xuelei/4773451/webrev.00/
<http://cr.openjdk.java.net/%7Exuelei/4773451/webrev.00/>
Thanks,
Xuelei
The bug description:
-------------------------------------------------
When using multiple SSLServerSockets with each listening on
it's own IP address, the JVM is not correctly sending the
correct certificate to the connecting client's web browser.
Regardless of which domain/IP the browser attempts to
connect to, the JVM always maps the domain/IP for the first
listed certificate in the keystore.
Example: domains abc.com, def.com, ghi.com each have their
own self-signed certificate in keystore , each created using
'keytool -genkey' and created in same order. Each also
being domain mapped to their own IP address and served
through their own SSLServerSocket.
When a client attempts to connect to abc.com, all is well.
The correct certificate is presented to the client and
connection succeeds. However, when the client attempt to
connect to either def.com or ghi.com, they are presented
with the certificate for abc.com.
If client connecting to def.com or ghi.com elects to accept
that incorrect certificate, connection succeeds to proper
site, despite use of incorrect certificate. So correct
domain/IP mapping is not the issue.
More information about the security-dev
mailing list