JDK-8065553 : Failed Java web start via IPv6 (Java7u71 or later)
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u71
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_7
  • CPU: x86
  • Submitted: 2014-11-17
  • Updated: 2016-11-24
  • Resolved: 2015-02-16
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9
7u80 b10Fixed 8u45Fixed 9Fixed
Related Reports
Duplicate :  
Description
FULL PRODUCT VERSION :
C:\Users\Adminuser7>java -version
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) Client VM (build 24.71-b01, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Windows7 professional SP1

A DESCRIPTION OF THE PROBLEM :
I tried to access java web start via IPv6 address. I got .jnlp , but could not get .jar file. The exception is:

Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 2001:db8::1:1:0:1 found
at sun.security.util.HostnameChecker.matchIP(Unknown Source)

This exception maybe cause here. 
/**
* Check if the certificate allows use of the given IP address.
*
* From RFC2818:
* In some cases, the URI is specified as an IP address rather than a
* hostname. In this case, the iPAddress subjectAltName must be present
* in the certificate and must exactly match the IP in the URI.
*/
private static void matchIP(String expectedIP, X509Certificate cert)
    throws CertificateException {
    Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
    if (subjAltNames == null) {
        throw new CertificateException
                  ("No subject alternative names present");
    }
    for (List<?> next : subjAltNames) {
        // For IP address, it needs to be exact match
        if (((Integer)next.get(0)).intValue() == ALTNAME_IP) {
            String ipAddress = (String)next.get(1);
            if (expectedIP.equalsIgnoreCase(ipAddress)) {
                return;
               }
           }
     }
     throw new CertificateException("No subject alternative " +
                "names matching " + "IP address " +
                 expectedIP + " found");
}

I think failed compare "if (expectedIP.equalsIgnoreCase(ipAddress)) {".
expectedIP is abbrevation ipv6 format, but ipAddress is non-abbrevation ipv6 format. As a result, the compare is failed if the ipv6 address is the same.

So, I changed the ip address and subject altnames from 2001:db8::1:1:0:1 to 1111:2222:3333:4444:aaaa:bbbb:cccc:dddd(non-abbrevation address) and it does work!




REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
1. Access by host name.
2. Use non-abbrevation ipv6 address


Comments
Base on the current nighlty results SQE OK to take the fix into CPU15_02
13-02-2015