RFR: 8369950: TLS connection to IPv6 address fails with BCJSSE due to IllegalArgumentException [v2]
Daniel Jeliński
djelinski at openjdk.org
Tue Dec 2 14:50:04 UTC 2025
On Tue, 2 Dec 2025 14:01:20 GMT, Sergey Chernyshev <schernyshev at openjdk.org> wrote:
>> @vy The test excercises the same code path as in the BCJSSE case, that throws an exception on non-LDH symbols. Segments of IPv4 literal adresses are all LDH, so they do not trigger any exception. Adding an IPAddressUtil.isIPv4LiteralAddress() check in the above condition is purely to mirror SSLSocketImpl behavior, as I thought initially.
>>
>> On the other hand, should we then add a negative test with a certificate that doesn't have a SAN extension (or the 127.0.0.1 ipv4 address in it), that should fail in the HostnameVerifier when the 'https://127.0.0.1' is requested?
>
> @djelinski would you think such a negative test is needed here?
> On the other hand, should we then add a negative test with a certificate that doesn't have a SAN extension (or the 127.0.0.1 ipv4 address in it), that should fail in the HostnameVerifier when the 'https://127.0.0.1/' is requested?
No, such test would fail whether we use setServerNames or not.
I think @vy is asking for a check that the SSLParameters passed to SSLSocket#setSSLParameters have no serverNames configured. That should be reasonably easy to do.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/28577#discussion_r2581507151
More information about the security-dev
mailing list