FULL PRODUCT VERSION :
C:\Users\Adminuser7>java -version
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) Client VM (build 24.71-b01, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Windows7 professional SP1
A DESCRIPTION OF THE PROBLEM :
I tried to access java web start via IPv6 address. I got .jnlp , but could not get .jar file. The exception is:
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 2001:db8::1:1:0:1 found
at sun.security.util.HostnameChecker.matchIP(Unknown Source)
This exception maybe cause here.
/**
* Check if the certificate allows use of the given IP address.
*
* From RFC2818:
* In some cases, the URI is specified as an IP address rather than a
* hostname. In this case, the iPAddress subjectAltName must be present
* in the certificate and must exactly match the IP in the URI.
*/
private static void matchIP(String expectedIP, X509Certificate cert)
throws CertificateException {
Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
if (subjAltNames == null) {
throw new CertificateException
("No subject alternative names present");
}
for (List<?> next : subjAltNames) {
// For IP address, it needs to be exact match
if (((Integer)next.get(0)).intValue() == ALTNAME_IP) {
String ipAddress = (String)next.get(1);
if (expectedIP.equalsIgnoreCase(ipAddress)) {
return;
}
}
}
throw new CertificateException("No subject alternative " +
"names matching " + "IP address " +
expectedIP + " found");
}
I think failed compare "if (expectedIP.equalsIgnoreCase(ipAddress)) {".
expectedIP is abbrevation ipv6 format, but ipAddress is non-abbrevation ipv6 format. As a result, the compare is failed if the ipv6 address is the same.
So, I changed the ip address and subject altnames from 2001:db8::1:1:0:1 to 1111:2222:3333:4444:aaaa:bbbb:cccc:dddd(non-abbrevation address) and it does work!
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
1. Access by host name.
2. Use non-abbrevation ipv6 address