Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8260925

HttpsURLConnection does not work with other JSSE provider.

XMLWordPrintable

    • b13

        If we try to open a url as follows
        new java.net.URL(“https://google.com”).openStream()

        The above code works with SunJSSE provider but will throw the below exception if I change the JSSE provider to BouncyCastleProvider .

        The following exception is thrown when the connection is made:

        java.security.cert.CertificateException: No subject alternative name found matching IP address 172.217.12.14

        This works with default the JSSE provider because the host is being set in in HttpsClient.java as follows

           s = (SSLSocket)serverSocket;
           if (s instanceof SSLSocketImpl) {
                  ((SSLSocketImpl)s).setHost(host);
           }

        In the case of BouncyCastle providers above will not be set, this causing the exception to be thrown.

        How to reproduce the issue.

        Follow the below steps to reproduce the issue.

        1-> Download all the attached file.
        1.1-> HttpsURLConnectionTest.java the main program which reproduce the issue.
        1.2-> mySrvKeystore is certificate file.
          1.3-> mySrvKeystore.bks certificate file in bks format
          1.4 -> download the required BouncyCastle jars from www.bouncycastle.org

        2-> Run the HttpsURLConnectionTest with SunJSSE provider it will work as expected.
        You have to fix the certificate file path in program.

        3-> To run the HttpsURLConnection.java on BouncyCastleProvider follow the below steps.
        3.1-> Go to <JDK>/conf/security/java.security file.
        3.2-> change the JSSE proper as follows

        security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{ALL};
        security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
        security.provider.3=sun.security.provider.Sun
          3.3 -> change the Default keystore type to BCFKS
        keystore.type=BCFKS
          3.4 -> Change the default key and trust manager factory algorithms as follows
        ssl.KeyManagerFactory.algorithm=PKIX
        ssl.TrustManagerFactory.algorithm=PKIX

        4-> Run the HttpsURLConnectionTest it will throw the exception.
         

              vtewari Vyom Tewari
              vtewari Vyom Tewari
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: