On Tue, 2 Mar 2021 12:43:27 GMT, Daniel Fuchs <dfu...@openjdk.org> wrote:
>> HttpsURLConnection, works with SunJSSE provider but does not work with other >> JSSE provider. In case of SunJSSE , HttpsURLConnection set the host name as >> follows >> >> s = (SSLSocket)serverSocket; >> if (s instanceof SSLSocketImpl) { >> ((SSLSocketImpl)s).setHost(host); >> } >> >> But in case of other providers(BouncyCastleProvider ) host will not get set >> and "java.security.cert.CertificateException: No subject alternative name >> found matching IP address" exception will be thrown. > > src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java line > 569: > >> 567: SSLParameters paramaters = s.getSSLParameters(); >> 568: >> paramaters.setEndpointIdentificationAlgorithm("HTTPS"); >> 569: >> paramaters.setServerNames(Collections.singletonList(new SNIHostName(host))); > > What if the SSL Layer has already an SNIHostName configured? Is there a risk > that this will introduce regressions in such cases? May be i am not sure, we may need this code change to review by security expert. I am setting "SNIHostName" only if "isDefaultHostnameVerifier" is true(If the HNV is the default from HttpsURLConnection) so there should not be problem. ------------- PR: https://git.openjdk.java.net/jdk/pull/2583