RFR: 7192189: Support endpoint identification algorithm in RFC 6125
Rajan Halade
rhalade at openjdk.java.net
Mon Mar 7 21:31:05 UTC 2022
On Fri, 4 Mar 2022 14:59:54 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> Please review this change to fully support RFC 6125 in the TLS implementation. This change forbids wildcard domains in TLS certificates unless the wildcard is in the left-most component. Certificates of this nature should be rare and are not allowed per the CABForum baseline requirements. However there may be a small compatibility risk associated with this change, so a CSR has also been filed.
test/jdk/sun/security/util/HostnameChecker/Wildcard.java line 72:
> 70: } catch (Exception e) {
> 71: if (expected) {
> 72: throw new Exception("unexpectedly failed match", e);
consider to update these to RuntimeException
test/jdk/sun/security/util/HostnameMatcher/TestHostnameChecker.java line 196:
> 194: check(checker, "5.6.7.8", cert3, true);
> 195: check(checker, "foo.bar.com", cert4, true);
> 196: check(checker, "altfoo.bar.com", cert4, true);
Can expected result be updated to false instead of removing this case?
-------------
PR: https://git.openjdk.java.net/jdk/pull/7697
More information about the security-dev
mailing list