Name: jl125535 Date: 12/01/2003


FULL PRODUCT VERSION :
java version "1.4.2_02"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_02-b03)
Java HotSpot(TM) Client VM (build 1.4.2_02-b03, mixed mode)


ADDITIONAL OS VERSION INFORMATION :
SunOS hydra.ariba.com 5.8 Generic_108528-18 sun4u sparc SUNW,Ultra-60


A DESCRIPTION OF THE PROBLEM :
When connecting to an https URL where the hostname begins with a number, JSSE
always throws an exception stating "HTTPS hostname wrong". Looking at the
source, the problem seems to be in sun.security.util.HostnameChecker. Method
isIpAddress returns true if the hostname begins with a digit; a comment in the
source reads, "if it begins with a digit, it cannot be a hostname". Once
HostnameChecker believes the hostname is an IP address, things go wrong and the
validation fails.

In sun.security.util.HostnameChecker.isIpAddress(), this code appears:

// if it begins with a digit, it cannot be a hostname
if (isDigit(name.charAt(0))) {
    return true;
}

... which seems to be the root cause of this problem.


However, the comment is wrong. It is perfectly legal for hostnames to begin
with a digit and in fact some do. RFC1035 (Domain Names) specifies a "preferred
name syntax" which says that names should begin with a letter, not a digit, but
this is only the "preferred" syntax, not the required syntax. The actual
allowed syntax is *ANY* sequence of 8-bit octets. (See RFC 1035, section 3.1 -- http://www.ietf.org/rfc/rfc1035.txt).


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Open an HttpsURLConnection to a host with a valid SSL server certificate where
the hostname begins with a digit. The exception will be thrown.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The connection should succeed and proceed normally.
ACTUAL -
The connection fails with the exception below (actual hostname removed since
it belongs to a customer of ours and we don't want to plaster their URL all over the place).

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.io.IOException: HTTPS hostname wrong: should be <xxxx>
        at sun.net.www.protocol.https.HttpsClient.b(DashoA6275)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA6275)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:617)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(DashoA6275)
        at java.net.URL.openStream(URL.java:913)
        at url.main(url.java:7)


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.io.*;
import java.net.*;

public class url {
    public static void main(String argv[]) throws Exception {
        URL url = new URL(argv[0]);
        InputStream in = url.openStream();
    }
}

---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Implement the javax.net.ssl.HostnameVerifier interface.
(Incident Review ID: 227810)
======================================================================