JDK-6750005 : subjectAltName-Extensions of the certificate are plainly ignored
  • Type: Bug
  • Component: deploy
  • Sub-Component: deployment_toolkit
  • Affected Version: 6u10
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2008-09-18
  • Updated: 2010-04-26
  • Resolved: 2009-02-19
Description
Applets are normally not placed on secure sites, because it can be
signed itself. So a trusted server is not necessary.

However if you place an applet on a secure site and here comes the
problem that browser throws that warming message:

"The page contains insecure elements. Do you want to display the insecure elements"

To get rid of this, you have to load the applet from the https-URL. But
then, the java-plugin complains about an invalid certificate.

The certificate contains subject-alt-names which are correctly honored
by all browsers like IE and Firefox. Only the applet suddenly
complains that the name in the certificate would not match the server name.

It might be a bug in
sun.plugin.security.CertificateHostnameVerifyer.java

The hostname is compared with the subject common name of the subject,
but subjectAltName-Extensions of the certificate are plainly ignored.

Other special cases are also missing, like subject name "*.example.com".

This behavior can be seen in all java versions. But the implementation
in JSSE is correct, so new URL("https://example.com/").openStream() works 
flawlessly with SAN and wildcard certificates.

Should be simple to port the cert check routine from jsse to deployment.
com.sun.deploy.security.CertificateHostnameVerifier.java
(located in the JDK source under: deploy/src/common/classes)