Hello, the JCE algorithm specification
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html states for TLS: "... The Java SE 7 release supports endpoint identification algorithms for TLS 1.2. The algorithm name can be passed to the setEndpointIdentificationAlgorithm() method of javax.net.ssl.SSLParameters...." If I read the source* right, and especially since this would be a rather strange thing if it does not, the actual hostname verification is done regardless of the actual TLS protocol. So I think the "TLS 1.2" in the above text refers to the TLSv1.2/SunJSSE protocol/provider, not the actual negotiated protocol level, right? If I use an unknown algorithm, the verifier will fail with CertificateException. I think this will trigger a registered HostnameVerifyer (so far so good). But this does mean it also does not to chain checking and trustsstore, right? (so I better customize the ExtendedX509TrustManager for checks in addition to the normal checks, right? * http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/21568031434d/src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java#l454 Greetings Bernd
