On Tue, 28 Apr 2026 11:26:07 GMT, Volkan Yazici <[email protected]> wrote:
>> Per [RFC 6066 "3. Server Name Indication"], disallow IP literals in >> `SNIHostName::new`. >> >> While the following two call-sites could be simplified by removing IP >> literal checks, I've refrained from doing so because delegating some of the >> checks to an exception catching mechanism would impact the performance: >> >> sun.security.ssl.Utilities::rawToSNIHostName >> sun.net.www.protocol.https.HttpsClient::afterConnect >> >> [RFC 6066 "3. Server Name Indication"]: >> https://www.rfc-editor.org/rfc/rfc6066.html#page-6 >> >> --------- >> - [X] I confirm that I make this contribution in accordance with the >> [OpenJDK Interim AI Policy](https://openjdk.org/legal/ai). > > Volkan Yazici has updated the pull request incrementally with one additional > commit since the last revision: > > Big facelift src/java.base/share/classes/javax/net/ssl/SNIHostName.java line 560: > 558: if (!strict) { > 559: return; > 560: } Since we are doing this `strict` overhaul, I think this is a good time to also add a proper DNS format validation by calling this [DNSName](https://github.com/openjdk/jdk/blob/13c92d0d4d137c7d83a946d1fcd2dfc5686e7b51/src/java.base/share/classes/sun/security/x509/DNSName.java#L143) constructor. We recently updated it with additional checks. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/30747#discussion_r3158195246
