Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6766775

X509 certificate hostname checking is broken in JDK1.6.0_10

XMLWordPrintable

    • b03
    • generic
    • solaris_nevada

        An application that uses SSL runs fine under JDK 1.6.0_07 fails on 1.6.0_10, with the error "java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found". As far as I can tell, this means certificate client hostname checking in _10 is broken.

        I've subclassed X509ExtendedTrustManager and overridden the following method and added code to print out the "hostname" parameter:

            public void checkClientTrusted(X509Certificate chain[],
              String authType, String hostname, String algorithm)

        The SSL debugging trace for _10 is below, the first line is from the 'println' described above.

        On _07 this prints "localhost", on _10 it prints "127.0.0.1". The certificate contains a Subject Alternative Name DNS entry for "localhost", but not an IP entry, so the verification fails on _10 because the "hostname" parameter is being passed incorrectly as the IP address.

        ----------

        hostname: 127.0.0.1

        Found trusted certificate:
        [
        [
          Version: V3
          Subject: CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=LH
          Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

          Key: SunPKCS11-Solaris RSA public key, 1024 bits (id 141872840, session object)
          modulus: 109777218937388701784579687142656553341258321638585627485175050314459183201332477916460154772991397177884180777647990110004231594570592744683000156387973919408665778569055470325764510541090702915175442409277089172259451334766955930833463434056218955943049848174218012553219322334089538187179486760641341890673
          public exponent: 65537
          Validity: [From: Wed Dec 12 21:23:40 GMT 2007,
                       To: Tue Dec 11 21:23:40 GMT 2012]
          Issuer: CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=LH
          SerialNumber: [ d790f9d4 fda5a41f]

        Certificate Extensions: 9
        [1]: ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          DNSName: localhost
          RFC822Name: root@localhost
        ]

        [2]: ObjectId: 2.5.29.35 Criticality=false
        AuthorityKeyIdentifier [
        KeyIdentifier [
        0000: 21 A5 8E AF 58 A0 CF A1 49 43 67 5B AD CB F8 EF !...X...ICg[....
        0010: 3E 6F CC 43 >o.C
        ]

        [CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=LH]
        SerialNumber: [ d790f9d4 fda5a41f]
        ]

        [3]: ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: 21 A5 8E AF 58 A0 CF A1 49 43 67 5B AD CB F8 EF !...X...ICg[....
        0010: 3E 6F CC 43 >o.C
        ]
        ]

        [4]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
        Extension unknown: DER encoded OCTET string =
        0000: 04 24 16 22 4F 70 65 6E 53 6F 6C 61 72 69 73 2E .$."OpenSolaris.
        0010: 6F 72 67 20 43 6C 69 65 6E 74 20 43 65 72 74 69 org Client Certi
        0020: 66 69 63 61 74 65 ficate


        [5]: ObjectId: 2.5.29.18 Criticality=false
        IssuerAlternativeName [
          DNSName: localhost
          RFC822Name: root@localhost
        ]

        [6]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
        NetscapeCertType [
           SSL client
        ]

        [7]: ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:false
          PathLen: undefined
        ]

        [8]: ObjectId: 2.5.29.37 Criticality=true
        ExtendedKeyUsages [
          clientAuth
        ]

        [9]: ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          DigitalSignature
          Key_Encipherment
        ]

        ]
          Algorithm: [SHA1withRSA]
          Signature:
        0000: 3B E1 09 78 7A FB 9E D8 17 B9 0C E0 FE 59 E6 5E ;..xz........Y.^
        0010: 35 70 85 CE B6 1F AD DD 17 13 60 CC BE 9F D6 53 5p........`....S
        0020: 33 B1 1E 43 A5 9E 21 A0 52 21 A1 C2 DA 32 75 94 3..C..!.R!...2u.
        0030: 78 A3 7C 07 85 8C 80 AA AD 08 6E B5 56 47 4B EF x.........n.VGK.
        0040: D3 68 19 57 2E C6 71 3F 3A FE EA AA D0 7E BF 84 .h.W..q?:.......
        0050: 00 2F D1 1E 48 A2 46 92 EA 63 1F F7 77 92 BB 23 ./..H.F..c..w..#
        0060: 92 A0 12 24 5D EE 8A B4 D6 26 D4 98 84 36 F9 09 ...$]....&...6..
        0070: FA 3D D3 73 E0 CE 58 9B E6 64 8E FC DE 8F 27 5F .=.s..X..d....'_

        ]
        XML-RPC Weblistener, SEND TLSv1 ALERT: fatal, description = certificate_unknown
        XML-RPC Weblistener, WRITE: TLSv1 Alert, length = 2
        XML-RPC Weblistener, called closeSocket()
        XML-RPC Weblistener, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
        XML-RPC Weblistener, called close()
        XML-RPC Weblistener, called closeInternal(true)
        03 Nov 2008 12:52:39,421 ERROR java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
        javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
                at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
                at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
                at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
                at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
                at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1253)
                at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:148)
                at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
                at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
                at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
                at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
                at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:744)
                at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
                at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
                at java.io.BufferedInputStream.read(BufferedInputStream.java:237)
                at org.apache.xmlrpc.webserver.HttpServletRequestImpl$2.read(HttpServletRequestImpl.java:91)
                at javax.servlet.ServletInputStream.readLine(ServletInputStream.java:94)
                at org.apache.xmlrpc.webserver.HttpServletRequestImpl.readLine(HttpServletRequestImpl.java:167)
                at org.apache.xmlrpc.webserver.HttpServletRequestImpl.<init>(HttpServletRequestImpl.java:103)
                at org.apache.xmlrpc.webserver.ServletConnection.<init>(ServletConnection.java:47)
                at org.apache.xmlrpc.webserver.ServletWebServer.newTask(ServletWebServer.java:142)
                at org.apache.xmlrpc.webserver.WebServer.run(WebServer.java:326)
                at java.lang.Thread.run(Thread.java:619)
        Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
                at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:155)
                at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)
                at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
                at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:238)
                at org.opensolaris.auth.ssl.SSLSocketManager$HostnameCheckTrustManager.checkClientTrusted(SSLSocketManager.java:279)
                at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1232)
                ... 17 more

              xuelei Xuelei Fan
              alanbur Alan Burlison
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved:
                Imported:
                Indexed: