P2
In the Java Secure Socket Extension (JSSE) Reference Guide at http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#allowUnsafeCert . In the guide, point #3 is incorrect:
Server certificate change in an SSL/TLS renegotiation may be unsafe:
1. if endpoint identification is not enabled in an SSL/TLS handshaking; and
2. if the previous handshake is a session-resumption abbreviated initial handshake; and
3. if the identities represented by both certificates can be regarded as the same.
Point 3 should say:
3. if the identities represented by both certificates can be regarded as different.
-- or --
3. unless the identities represented by both certificates can be regarded as the same.
Refer to isIdentityEquivalent() at sun/securit/ssl/ClientHandshaker.java
Server certificate change in an SSL/TLS renegotiation may be unsafe:
1. if endpoint identification is not enabled in an SSL/TLS handshaking; and
2. if the previous handshake is a session-resumption abbreviated initial handshake; and
3. if the identities represented by both certificates can be regarded as the same.
Point 3 should say:
3. if the identities represented by both certificates can be regarded as different.
-- or --
3. unless the identities represented by both certificates can be regarded as the same.
Refer to isIdentityEquivalent() at sun/securit/ssl/ClientHandshaker.java