[9] RFR: 8054380: X.509 cert extension SubjectAltName should allow digits as first character of dNSName
Jason Uh
jason.uh at oracle.com
Fri Aug 22 21:07:23 UTC 2014
Please see the revised webrev here:
http://cr.openjdk.java.net/~juh/8054380/webrev.02/
Additional changes include:
1. Verification of the DNSName during certificate parsing
2. Allowing each component to start with a letter or digit
2. A check to make sure the final character of a component ends in a
digit or letter (RFC 952 grammar rules)
Thanks,
Jason
On 08/08/2014 01:59 AM, Florian Weimer wrote:
> On 08/07/2014 03:32 PM, Sean Mullan wrote:
>> On 08/07/2014 08:47 AM, Florian Weimer wrote:
>>> I wonder why using the HTTPS to access <https://www.3com.com> works with
>>> the current jdk9-dev code. The name "www.3com.com" is only present in
>>> the SAN.
>>
>> Is the SAN extension non-critical? If so, that could explain why. We
>> allow X509Certificates to be created with unparseable non-critical
>> extensions.
>
> Yes, it's marked as non-critical. But this doesn't really explain the
> lack of an exception because the www.3com.com dNSName is obviously used
> (there's no TLS handshake failure).
>
More information about the security-dev
mailing list