RFR: 7192189: Support endpoint identification algorithm in RFC 6125
Sean Mullan
mullan at openjdk.java.net
Mon Mar 7 21:37:05 UTC 2022
On Mon, 7 Mar 2022 21:26:34 GMT, Rajan Halade <rhalade at openjdk.org> wrote:
>> Please review this change to fully support RFC 6125 in the TLS implementation. This change forbids wildcard domains in TLS certificates unless the wildcard is in the left-most component. Certificates of this nature should be rare and are not allowed per the CABForum baseline requirements. However there may be a small compatibility risk associated with this change, so a CSR has also been filed.
>
> test/jdk/sun/security/util/HostnameMatcher/TestHostnameChecker.java line 196:
>
>> 194: check(checker, "5.6.7.8", cert3, true);
>> 195: check(checker, "foo.bar.com", cert4, true);
>> 196: check(checker, "altfoo.bar.com", cert4, true);
>
> Can expected result be updated to false instead of removing this case?
It occurred to me that I should probably combine TestHostnameChecker and the Wildcard tests as they are both tests for domain matching. Let me see if it isn't too much work to do that (still waiting for the CSR to be approved anyway).
-------------
PR: https://git.openjdk.java.net/jdk/pull/7697
More information about the security-dev
mailing list