RFR: 8328723: IP Address error when client enables HTTPS endpoint check on server socket
Prajwal Kumaraswamy
pkumaraswamy at openjdk.org
Fri Jul 5 09:02:45 UTC 2024
The client identity checks when "HTTPS" endpoint identification algorithm is set on SSL server throws "java.security.cert.CertificateException: No subject alternative names present" when client certificate's SubjectAltName extension does not match its IP address
Since the server has no external knowledge of what the client's identity ought to be, HTTPS identity checks must be disabled on the server side.
The exception message has been fixed to indicate the same.
I have performed the test both on SSL Server Engine and SSL Server Socket and attached are logs and snapshot for reference, also I have ran the changes against external test suite and test runs are green.
-------------
Commit messages:
- 8328723: IP Address error when client enables HTTPS endpoint check on server socket
Changes: https://git.openjdk.org/jdk/pull/20048/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=20048&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8328723
Stats: 12 lines in 1 file changed: 9 ins; 0 del; 3 mod
Patch: https://git.openjdk.org/jdk/pull/20048.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/20048/head:pull/20048
PR: https://git.openjdk.org/jdk/pull/20048
More information about the security-dev
mailing list