JDK-7192189 : Support new endpoint identification algorithm in RFC 6125
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8
  • Priority: P3
  • Status: Open
  • Resolution: Unresolved
  • OS: generic
  • CPU: generic
  • Submitted: 2012-08-17
  • Updated: 2021-02-03
Related Reports
Relates :  
Description
See http://mail.openjdk.java.net/pipermail/security-dev/2012-August/005371.html

Hello,

Looking at the Javadoc for X509ExtendedTrustManager, it seems that the
algorithms supported by
SSLParameters.setEndpointIdentificationAlgorithm(...) are "HTTPS" and
"LDAPS". ... <deleted>...

I'm not sure if there is much awareness for it, but there is an RFC
that aims to harmonise the best practices for server name
identification across protocols: RFC 6125, "Representation and
Verification of Domain-Based Application Service Identity within
Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in
the Context of Transport Layer Security (TLS)". (In practice, it's
actually quite close to the HTTPS rules from RFC 2818.)

I'd just like to suggest that further versions of the JDK/JRE could
support an "RFC6125" algorithm in addition to the existing ones, since
it's meant to be independent of the application protocol (perhaps all
this could be enabled by default too, to prevent cases where users
don't verify the host name at all).

Best wishes,
Bruno.

Comments
Would consider it in a future release.
11-04-2013