TLS hostname verifier: reverse resolves peer addresses?

Bernd Eckenfels ecki at zusammenkunft.net
Wed Jul 15 00:48:06 UTC 2015


Am Mon, 3 Nov 2014 00:15:28 +0100
schrieb Bernd Eckenfels <ecki at zusammenkunft.net>:

> JSSE...  I noticed, that
> the Java 8 hostname verifier (algorithm https configured) will reverse
> resolve hostnames and use them.

Is this JDK-8067695 (not public) and fixed in 8u51?

Does this have an CVE entry in the 8u51 CPU list, I cannot find one (but
then again the descriptions aren't very verbose anyway)

http://www.oracle.com/technetwork/topics/security/cpujul2015verbose-2367947.html#JAVA

In case you are curious, according to the release notes, it can be
controled with jdk.tls.trustNameService.

Gruss
Bernd


More information about the security-dev mailing list