Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4748292

Prevent/Disable reverse name lookups with JSSE SSL sockets

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Fixed
    • Icon: P4 P4
    • 1.4.2
    • 1.4.0
    • security-libs
    • mantis
    • x86
    • windows_2000
    • Verified



      Name: nt126004 Date: 09/16/2002


      FULL PRODUCT VERSION :
      java version "1.4.0"
      Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-b92)
      Java HotSpot(TM) Client VM (build 1.4.0-b92, mixed mode)

      FULL OPERATING SYSTEM VERSION :
      Microsoft Windows 2000 [Version 5.00.2195]

      ADDITIONAL OPERATING SYSTEMS :
      Depends on how local system reverse DNS lookup works


      A DESCRIPTION OF THE PROBLEM :
      With the JSSE implementation that is part of JDK1.4,
      everytime an SSL socket tries to connect to a server, it
      calls InetAddress.getHostByName() which causes a reverse
      name lookup. It would be nice to be able to disable or
      prevent this from happening in some way. In some cases, we
      know the reverse name lookup will fail, but it can take
      several seconds to fail. In an application that does lots
      of SSL connections, it is not acceptable to have to wait
      several seconds for each SSL connection.

      With the previous JSSE, this call was not made.

      InetAddress can cache name lookups, but not reverse name
      lookups. If reverse lookups were cached, we could limit
      the delay to only the first SSL connection to each host.

      The security manager can deny the lookup, but in
      InetAddress, the lookup actually happens before the
      security manager check.

      Setting the networking.cache.ttl property does not apply in this case. The
      caching is only for name lookups, not reverse name lookups. The addresses
      are cached, not the names. Those properties contol looking up the IP
      address based on the name, but I am looking up the name based on the IP
      address. I don't know if it is a security issue to cache the
      names/addresses in both directions (so both types of lookups can be cached).

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      It would be nice to not have to wait for it to fail if we
      already know it will fail or we don't care what the
      hostname is.

      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER WORKAROUND :
      Add the IP address to your hosts file. But, this is not
      acceptable for applications that contact hundreds of IP
      addresses.
      (Review ID: 163812)
      ======================================================================

            ywangsunw Yingxian Wang (Inactive)
            nthompsosunw Nathanael Thompson (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: