endpoint identification algorithm, only in "1.2"?

Xuelei Fan xuelei.fan at oracle.com
Thu Oct 9 00:21:42 UTC 2014

On 10/9/2014 7:06 AM, Bernd Eckenfels wrote:
> Hello,
> the JCE algorithm specification
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html
> states for TLS:
> "... The Java SE 7 release supports endpoint identification algorithms
> for TLS 1.2. The algorithm name can be passed to the
> setEndpointIdentificationAlgorithm() method of
> javax.net.ssl.SSLParameters...."
> If I read the source* right, and especially since this would be a rather
> strange thing if it does not, the actual hostname verification is done
> regardless of the actual TLS protocol. So I think the "TLS 1.2" in the
> above text refers to the TLSv1.2/SunJSSE protocol/provider, not the
> actual negotiated protocol level, right?
Should not have the "for TLS 1.2" words in the doc.  The endpoint
identification algorithms apply to all TLS protocols.

> If I use an unknown algorithm, the verifier will fail with
> CertificateException. I think this will trigger a registered
> HostnameVerifyer (so far so good). But this does mean it also does not
> to chain checking and trustsstore, right? (so I better customize the
> ExtendedX509TrustManager for checks in addition to the normal checks,
> right?
Endpoint identification happens in the SSL handshaking period, while
HostnameVerifier happens after the SSL handshaking.  If Endpoint
identification failed, the TLS negotiation would terminate accordingly.
 Need to customized the trust manager if you want support additional
algorithms.  I would prefer to use the endpoint identification APIs for
new applications.


> *
>   http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/21568031434d/src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java#l454
>   Greetings
> Bernd

More information about the security-dev mailing list