RFR: 8278312: Update SimpleSSLContext keystore to use SANs for localhost IP addresses
Daniel Fuchs
dfuchs at openjdk.java.net
Thu Dec 9 17:00:44 UTC 2021
On Tue, 7 Dec 2021 15:00:33 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:
>> This updates the testkeys keystore file used by SimpleSSLContext in the test tree, in order to add subject alt names for the literal IP addresses "127.0.0.1" and "::1". This should allow the self signed certificate in the keystore to be accepted even when the local OS doesn't have a localhost to loopback address name service mapping.
>>
>> Apart from the test, there's nothing to see in the webrev as it's a binary file. Here is the relevant diff between the list output from the old and new keystores
>>
>> 24c24,31
>> < #1: ObjectId: 2.5.29.14 Criticality=false
>> ---
>>> #1: ObjectId: 2.5.29.17 Criticality=true
>>> SubjectAlternativeName [
>>> DNSName: localhost
>>> IPAddress: 127.0.0.1
>>> IPAddress: 0:0:0:0:0:0:0:1
>>> ]
>>>
>
> test/jdk/com/sun/net/httpserver/SANTest.java line 77:
>
>> 75: int port1 = s1.getAddress().getPort();
>> 76: int port2 = s2.getAddress().getPort();
>> 77: test ("127.0.0.1", root+"/test1", port2, "smallfile.txt", 23);
>
> Maybe this test should use `IPSupport::hasIPv4` and `IPSupport::hasIPv6` to figure out which addresses can be tested on a particular machine.
Also it might be good to test with HTTP/2 over SSL - maybe the test class could implement `HttpServerAdapters` to that purpose.
-------------
PR: https://git.openjdk.java.net/jdk/pull/6727
More information about the security-dev
mailing list