RFC 6125 and host name verification in Java 7+
Xuelei Fan
xuelei.fan at oracle.com
Fri Aug 17 02:09:50 UTC 2012
On 8/17/2012 6:26 AM, Bruno Harbulot wrote:
> Hello,
>
> Looking at the Javadoc for X509ExtendedTrustManager, it seems that the
> algorithms supported by
> SSLParameters.setEndpointIdentificationAlgorithm(...) are "HTTPS" and
> "LDAPS". The Javadoc for SSLParameters points to the standard names
> and provider documentation, but I can't find any mention of these
> algorithms anywhere. Are there any others?
>
In the pointed doc, did you noticed that there is an link to "Standard
Names document"? It is the place to hold standard name now. You can
click the bellow link directly:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html
and search for "LDAPS" or "HTTPS".
> I'm not sure if there is much awareness for it, but there is an RFC
> that aims to harmonise the best practices for server name
> identification across protocols: RFC 6125, "Representation and
> Verification of Domain-Based Application Service Identity within
> Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in
> the Context of Transport Layer Security (TLS)". (In practice, it's
> actually quite close to the HTTPS rules from RFC 2818.)
>
> I'd just like to suggest that further versions of the JDK/JRE could
> support an "RFC6125" algorithm in addition to the existing ones, since
> it's meant to be independent of the application protocol (perhaps all
> this could be enabled by default too, to prevent cases where users
> don't verify the host name at all).
>
Thanks for the suggestion. I will log the feature request.
Thanks,
Xuelei
> Best wishes,
>
> Bruno.
>
More information about the security-dev
mailing list