endpoint identification algorithm, only in "1.2"?
Bernd Eckenfels
ecki at zusammenkunft.net
Wed Oct 8 23:06:34 UTC 2014
Hello,
the JCE algorithm specification
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html
states for TLS:
"... The Java SE 7 release supports endpoint identification algorithms
for TLS 1.2. The algorithm name can be passed to the
setEndpointIdentificationAlgorithm() method of
javax.net.ssl.SSLParameters...."
If I read the source* right, and especially since this would be a rather
strange thing if it does not, the actual hostname verification is done
regardless of the actual TLS protocol. So I think the "TLS 1.2" in the
above text refers to the TLSv1.2/SunJSSE protocol/provider, not the
actual negotiated protocol level, right?
If I use an unknown algorithm, the verifier will fail with
CertificateException. I think this will trigger a registered
HostnameVerifyer (so far so good). But this does mean it also does not
to chain checking and trustsstore, right? (so I better customize the
ExtendedX509TrustManager for checks in addition to the normal checks,
right?
*
http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/21568031434d/src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java#l454
Greetings
Bernd
More information about the security-dev
mailing list