United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-6750005 : subjectAltName-Extensions of the certificate are plainly ignored

Details
Type:
Bug
Submit Date:
2008-09-18
Status:
Closed
Updated Date:
2010-04-26
Project Name:
JDK
Resolved Date:
2009-02-19
Component:
deploy
OS:
windows_xp
Sub-Component:
deployment_toolkit
CPU:
x86
Priority:
P4
Resolution:
Duplicate
Affected Versions:
6u10
Fixed Versions:

Related Reports

Sub Tasks

Description
Applets are normally not placed on secure sites, because it can be
signed itself. So a trusted server is not necessary.

However if you place an applet on a secure site and here comes the
problem that browser throws that warming message:

"The page contains insecure elements. Do you want to display the insecure elements"

To get rid of this, you have to load the applet from the https-URL. But
then, the java-plugin complains about an invalid certificate.

The certificate contains subject-alt-names which are correctly honored
by all browsers like IE and Firefox. Only the applet suddenly
complains that the name in the certificate would not match the server name.

It might be a bug in
sun.plugin.security.CertificateHostnameVerifyer.java

The hostname is compared with the subject common name of the subject,
but subjectAltName-Extensions of the certificate are plainly ignored.

Other special cases are also missing, like subject name "*.example.com".

This behavior can be seen in all java versions. But the implementation
in JSSE is correct, so new URL("https://example.com/").openStream() works 
flawlessly with SAN and wildcard certificates.

Should be simple to port the cert check routine from jsse to deployment.
com.sun.deploy.security.CertificateHostnameVerifier.java
(located in the JDK source under: deploy/src/common/classes)

                                    

Comments



Hardware and Software, Engineered to Work Together