[9] RFR: 8054380: X.509 cert extension SubjectAltName should allow digits as first character of dNSName
Florian Weimer
fweimer at redhat.com
Fri Aug 8 08:59:08 UTC 2014
On 08/07/2014 03:32 PM, Sean Mullan wrote:
> On 08/07/2014 08:47 AM, Florian Weimer wrote:
>> I wonder why using the HTTPS to access <https://www.3com.com> works with
>> the current jdk9-dev code. The name "www.3com.com" is only present in
>> the SAN.
>
> Is the SAN extension non-critical? If so, that could explain why. We
> allow X509Certificates to be created with unparseable non-critical
> extensions.
Yes, it's marked as non-critical. But this doesn't really explain the
lack of an exception because the www.3com.com dNSName is obviously used
(there's no TLS handshake failure).
--
Florian Weimer / Red Hat Product Security
More information about the security-dev
mailing list