TLS hostname verifier: reverse resolves peer addresses?
Bernd Eckenfels
ecki at zusammenkunft.net
Wed Jul 15 00:48:06 UTC 2015
Am Mon, 3 Nov 2014 00:15:28 +0100
schrieb Bernd Eckenfels <ecki at zusammenkunft.net>:
> JSSE... I noticed, that
> the Java 8 hostname verifier (algorithm https configured) will reverse
> resolve hostnames and use them.
Is this JDK-8067695 (not public) and fixed in 8u51?
Does this have an CVE entry in the 8u51 CPU list, I cannot find one (but
then again the descriptions aren't very verbose anyway)
http://www.oracle.com/technetwork/topics/security/cpujul2015verbose-2367947.html#JAVA
In case you are curious, according to the release notes, it can be
controled with jdk.tls.trustNameService.
Gruss
Bernd
More information about the security-dev
mailing list