-
Bug
-
Resolution: Fixed
-
P2
-
solaris_11
-
b03
-
generic
-
solaris_nevada
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2190717 | OpenJDK6 | Chris Hegarty | P3 | Resolved | Fixed | b19 |
| JDK-2172902 | 5.0-pool | Abhijit Saha | P2 | Closed | Won't Fix |
An application that uses SSL runs fine under JDK 1.6.0_07 fails on 1.6.0_10, with the error "java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found". As far as I can tell, this means certificate client hostname checking in _10 is broken.
I've subclassed X509ExtendedTrustManager and overridden the following method and added code to print out the "hostname" parameter:
public void checkClientTrusted(X509Certificate chain[],
String authType, String hostname, String algorithm)
The SSL debugging trace for _10 is below, the first line is from the 'println' described above.
On _07 this prints "localhost", on _10 it prints "127.0.0.1". The certificate contains a Subject Alternative Name DNS entry for "localhost", but not an IP entry, so the verification fails on _10 because the "hostname" parameter is being passed incorrectly as the IP address.
----------
hostname: 127.0.0.1
Found trusted certificate:
[
[
Version: V3
Subject: CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=LH
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunPKCS11-Solaris RSA public key, 1024 bits (id 141872840, session object)
modulus: 109777218937388701784579687142656553341258321638585627485175050314459183201332477916460154772991397177884180777647990110004231594570592744683000156387973919408665778569055470325764510541090702915175442409277089172259451334766955930833463434056218955943049848174218012553219322334089538187179486760641341890673
public exponent: 65537
Validity: [From: Wed Dec 12 21:23:40 GMT 2007,
To: Tue Dec 11 21:23:40 GMT 2012]
Issuer: CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=LH
SerialNumber: [ d790f9d4 fda5a41f]
Certificate Extensions: 9
[1]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: localhost
RFC822Name: root@localhost
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 21 A5 8E AF 58 A0 CF A1 49 43 67 5B AD CB F8 EF !...X...ICg[....
0010: 3E 6F CC 43 >o.C
]
[CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=LH]
SerialNumber: [ d790f9d4 fda5a41f]
]
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 21 A5 8E AF 58 A0 CF A1 49 43 67 5B AD CB F8 EF !...X...ICg[....
0010: 3E 6F CC 43 >o.C
]
]
[4]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 24 16 22 4F 70 65 6E 53 6F 6C 61 72 69 73 2E .$."OpenSolaris.
0010: 6F 72 67 20 43 6C 69 65 6E 74 20 43 65 72 74 69 org Client Certi
0020: 66 69 63 61 74 65 ficate
[5]: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
DNSName: localhost
RFC822Name: root@localhost
]
[6]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
]
[7]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[8]: ObjectId: 2.5.29.37 Criticality=true
ExtendedKeyUsages [
clientAuth
]
[9]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 3B E1 09 78 7A FB 9E D8 17 B9 0C E0 FE 59 E6 5E ;..xz........Y.^
0010: 35 70 85 CE B6 1F AD DD 17 13 60 CC BE 9F D6 53 5p........`....S
0020: 33 B1 1E 43 A5 9E 21 A0 52 21 A1 C2 DA 32 75 94 3..C..!.R!...2u.
0030: 78 A3 7C 07 85 8C 80 AA AD 08 6E B5 56 47 4B EF x.........n.VGK.
0040: D3 68 19 57 2E C6 71 3F 3A FE EA AA D0 7E BF 84 .h.W..q?:.......
0050: 00 2F D1 1E 48 A2 46 92 EA 63 1F F7 77 92 BB 23 ./..H.F..c..w..#
0060: 92 A0 12 24 5D EE 8A B4 D6 26 D4 98 84 36 F9 09 ...$]....&...6..
0070: FA 3D D3 73 E0 CE 58 9B E6 64 8E FC DE 8F 27 5F .=.s..X..d....'_
]
XML-RPC Weblistener, SEND TLSv1 ALERT: fatal, description = certificate_unknown
XML-RPC Weblistener, WRITE: TLSv1 Alert, length = 2
XML-RPC Weblistener, called closeSocket()
XML-RPC Weblistener, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
XML-RPC Weblistener, called close()
XML-RPC Weblistener, called closeInternal(true)
03 Nov 2008 12:52:39,421 ERROR java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1253)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:148)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:744)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read(BufferedInputStream.java:237)
at org.apache.xmlrpc.webserver.HttpServletRequestImpl$2.read(HttpServletRequestImpl.java:91)
at javax.servlet.ServletInputStream.readLine(ServletInputStream.java:94)
at org.apache.xmlrpc.webserver.HttpServletRequestImpl.readLine(HttpServletRequestImpl.java:167)
at org.apache.xmlrpc.webserver.HttpServletRequestImpl.<init>(HttpServletRequestImpl.java:103)
at org.apache.xmlrpc.webserver.ServletConnection.<init>(ServletConnection.java:47)
at org.apache.xmlrpc.webserver.ServletWebServer.newTask(ServletWebServer.java:142)
at org.apache.xmlrpc.webserver.WebServer.run(WebServer.java:326)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:155)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:238)
at org.opensolaris.auth.ssl.SSLSocketManager$HostnameCheckTrustManager.checkClientTrusted(SSLSocketManager.java:279)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1232)
... 17 more
I've subclassed X509ExtendedTrustManager and overridden the following method and added code to print out the "hostname" parameter:
public void checkClientTrusted(X509Certificate chain[],
String authType, String hostname, String algorithm)
The SSL debugging trace for _10 is below, the first line is from the 'println' described above.
On _07 this prints "localhost", on _10 it prints "127.0.0.1". The certificate contains a Subject Alternative Name DNS entry for "localhost", but not an IP entry, so the verification fails on _10 because the "hostname" parameter is being passed incorrectly as the IP address.
----------
hostname: 127.0.0.1
Found trusted certificate:
[
[
Version: V3
Subject: CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=LH
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunPKCS11-Solaris RSA public key, 1024 bits (id 141872840, session object)
modulus: 109777218937388701784579687142656553341258321638585627485175050314459183201332477916460154772991397177884180777647990110004231594570592744683000156387973919408665778569055470325764510541090702915175442409277089172259451334766955930833463434056218955943049848174218012553219322334089538187179486760641341890673
public exponent: 65537
Validity: [From: Wed Dec 12 21:23:40 GMT 2007,
To: Tue Dec 11 21:23:40 GMT 2012]
Issuer: CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=LH
SerialNumber: [ d790f9d4 fda5a41f]
Certificate Extensions: 9
[1]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: localhost
RFC822Name: root@localhost
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 21 A5 8E AF 58 A0 CF A1 49 43 67 5B AD CB F8 EF !...X...ICg[....
0010: 3E 6F CC 43 >o.C
]
[CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=LH]
SerialNumber: [ d790f9d4 fda5a41f]
]
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 21 A5 8E AF 58 A0 CF A1 49 43 67 5B AD CB F8 EF !...X...ICg[....
0010: 3E 6F CC 43 >o.C
]
]
[4]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 24 16 22 4F 70 65 6E 53 6F 6C 61 72 69 73 2E .$."OpenSolaris.
0010: 6F 72 67 20 43 6C 69 65 6E 74 20 43 65 72 74 69 org Client Certi
0020: 66 69 63 61 74 65 ficate
[5]: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
DNSName: localhost
RFC822Name: root@localhost
]
[6]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
]
[7]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[8]: ObjectId: 2.5.29.37 Criticality=true
ExtendedKeyUsages [
clientAuth
]
[9]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 3B E1 09 78 7A FB 9E D8 17 B9 0C E0 FE 59 E6 5E ;..xz........Y.^
0010: 35 70 85 CE B6 1F AD DD 17 13 60 CC BE 9F D6 53 5p........`....S
0020: 33 B1 1E 43 A5 9E 21 A0 52 21 A1 C2 DA 32 75 94 3..C..!.R!...2u.
0030: 78 A3 7C 07 85 8C 80 AA AD 08 6E B5 56 47 4B EF x.........n.VGK.
0040: D3 68 19 57 2E C6 71 3F 3A FE EA AA D0 7E BF 84 .h.W..q?:.......
0050: 00 2F D1 1E 48 A2 46 92 EA 63 1F F7 77 92 BB 23 ./..H.F..c..w..#
0060: 92 A0 12 24 5D EE 8A B4 D6 26 D4 98 84 36 F9 09 ...$]....&...6..
0070: FA 3D D3 73 E0 CE 58 9B E6 64 8E FC DE 8F 27 5F .=.s..X..d....'_
]
XML-RPC Weblistener, SEND TLSv1 ALERT: fatal, description = certificate_unknown
XML-RPC Weblistener, WRITE: TLSv1 Alert, length = 2
XML-RPC Weblistener, called closeSocket()
XML-RPC Weblistener, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
XML-RPC Weblistener, called close()
XML-RPC Weblistener, called closeInternal(true)
03 Nov 2008 12:52:39,421 ERROR java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1253)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:148)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:744)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read(BufferedInputStream.java:237)
at org.apache.xmlrpc.webserver.HttpServletRequestImpl$2.read(HttpServletRequestImpl.java:91)
at javax.servlet.ServletInputStream.readLine(ServletInputStream.java:94)
at org.apache.xmlrpc.webserver.HttpServletRequestImpl.readLine(HttpServletRequestImpl.java:167)
at org.apache.xmlrpc.webserver.HttpServletRequestImpl.<init>(HttpServletRequestImpl.java:103)
at org.apache.xmlrpc.webserver.ServletConnection.<init>(ServletConnection.java:47)
at org.apache.xmlrpc.webserver.ServletWebServer.newTask(ServletWebServer.java:142)
at org.apache.xmlrpc.webserver.WebServer.run(WebServer.java:326)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:155)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:238)
at org.opensolaris.auth.ssl.SSLSocketManager$HostnameCheckTrustManager.checkClientTrusted(SSLSocketManager.java:279)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1232)
... 17 more
- backported by
-
JDK-2190717 X509 certificate hostname checking is broken in JDK1.6.0_10
-
- Resolved
-
-
-
- Closed
-
- relates to
-
-
- Resolved
-
-
-
- Closed
-
-
JDK-6586274 SSLSocketFactory and SSLServerSocketFactory can't be configured
-
- Closed
-
-
-
- Closed
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Closed
-
(4 relates to)