RFR: 7192189: Support endpoint identification algorithm in RFC 6125

Rajan Halade rhalade at openjdk.java.net
Mon Mar 7 21:31:05 UTC 2022


On Fri, 4 Mar 2022 14:59:54 GMT, Sean Mullan <mullan at openjdk.org> wrote:

> Please review this change to fully support RFC 6125 in the TLS implementation. This change forbids wildcard domains in TLS certificates unless the wildcard is in the left-most component. Certificates of this nature should be rare and are not allowed per the CABForum baseline requirements. However there may be a small compatibility risk associated with this change, so a CSR has also been filed.

test/jdk/sun/security/util/HostnameChecker/Wildcard.java line 72:

> 70:         } catch (Exception e) {
> 71:             if (expected) {
> 72:                 throw new Exception("unexpectedly failed match", e);

consider to update these to RuntimeException

test/jdk/sun/security/util/HostnameMatcher/TestHostnameChecker.java line 196:

> 194:         check(checker, "5.6.7.8", cert3, true);
> 195:         check(checker, "foo.bar.com", cert4, true);
> 196:         check(checker, "altfoo.bar.com", cert4, true);

Can expected result be updated to false instead of removing this case?

-------------

PR: https://git.openjdk.java.net/jdk/pull/7697



More information about the security-dev mailing list