RFR: 8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled
Weijun Wang
weijun at openjdk.java.net
Tue Jan 25 14:19:33 UTC 2022
On Tue, 25 Jan 2022 00:13:32 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
> A hostname in an URL ending with a dot is valid (See RFC 1034). However, it is not a valid SNI hostname. The ending dot should be ignored while checking the hostname with SNI or the name in a X.509 certificate.
>
> The update should be verified with jshell. No new regression test added as there is a need of Fully-Qualified Domain Name.
> $ $JDK_HOME/bin/jshell
> jshell> URL url = new URL("https://www.google.com./");
> jshell> URLConnection conn = url.openConnection();
> jshell> conn.connect();
Is it possible to add a regression test using the `-Djdk.net.hosts.file` feature? It is a JVM-only `/etc/hosts` alternative.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7205
More information about the security-dev
mailing list