endpoint identification algorithm, only in "1.2"?

Bernd Eckenfels ecki at zusammenkunft.net
Wed Oct 8 23:06:34 UTC 2014


the JCE algorithm specification


states for TLS:

"... The Java SE 7 release supports endpoint identification algorithms
for TLS 1.2. The algorithm name can be passed to the
setEndpointIdentificationAlgorithm() method of

If I read the source* right, and especially since this would be a rather
strange thing if it does not, the actual hostname verification is done
regardless of the actual TLS protocol. So I think the "TLS 1.2" in the
above text refers to the TLSv1.2/SunJSSE protocol/provider, not the
actual negotiated protocol level, right?

If I use an unknown algorithm, the verifier will fail with
CertificateException. I think this will trigger a registered
HostnameVerifyer (so far so good). But this does mean it also does not
to chain checking and trustsstore, right? (so I better customize the
ExtendedX509TrustManager for checks in addition to the normal checks,



More information about the security-dev mailing list