-
Bug
-
Resolution: Fixed
-
P3
-
11, 14, 15
-
b13
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8263100 | 11.0.12 | Vyom Tewari | P3 | Resolved | Fixed | b01 |
If we try to open a url as follows
new java.net.URL(“https://google.com”).openStream()
The above code works with SunJSSE provider but will throw the below exception if I change the JSSE provider to BouncyCastleProvider .
The following exception is thrown when the connection is made:
java.security.cert.CertificateException: No subject alternative name found matching IP address 172.217.12.14
This works with default the JSSE provider because the host is being set in in HttpsClient.java as follows
s = (SSLSocket)serverSocket;
if (s instanceof SSLSocketImpl) {
((SSLSocketImpl)s).setHost(host);
}
In the case of BouncyCastle providers above will not be set, this causing the exception to be thrown.
How to reproduce the issue.
Follow the below steps to reproduce the issue.
1-> Download all the attached file.
1.1-> HttpsURLConnectionTest.java the main program which reproduce the issue.
1.2-> mySrvKeystore is certificate file.
1.3-> mySrvKeystore.bks certificate file in bks format
1.4 -> download the required BouncyCastle jars from www.bouncycastle.org
2-> Run the HttpsURLConnectionTest with SunJSSE provider it will work as expected.
You have to fix the certificate file path in program.
3-> To run the HttpsURLConnection.java on BouncyCastleProvider follow the below steps.
3.1-> Go to <JDK>/conf/security/java.security file.
3.2-> change the JSSE proper as follows
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{ALL};
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=sun.security.provider.Sun
3.3 -> change the Default keystore type to BCFKS
keystore.type=BCFKS
3.4 -> Change the default key and trust manager factory algorithms as follows
ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX
4-> Run the HttpsURLConnectionTest it will throw the exception.
new java.net.URL(“https://google.com”).openStream()
The above code works with SunJSSE provider but will throw the below exception if I change the JSSE provider to BouncyCastleProvider .
The following exception is thrown when the connection is made:
java.security.cert.CertificateException: No subject alternative name found matching IP address 172.217.12.14
This works with default the JSSE provider because the host is being set in in HttpsClient.java as follows
s = (SSLSocket)serverSocket;
if (s instanceof SSLSocketImpl) {
((SSLSocketImpl)s).setHost(host);
}
In the case of BouncyCastle providers above will not be set, this causing the exception to be thrown.
How to reproduce the issue.
Follow the below steps to reproduce the issue.
1-> Download all the attached file.
1.1-> HttpsURLConnectionTest.java the main program which reproduce the issue.
1.2-> mySrvKeystore is certificate file.
1.3-> mySrvKeystore.bks certificate file in bks format
1.4 -> download the required BouncyCastle jars from www.bouncycastle.org
2-> Run the HttpsURLConnectionTest with SunJSSE provider it will work as expected.
You have to fix the certificate file path in program.
3-> To run the HttpsURLConnection.java on BouncyCastleProvider follow the below steps.
3.1-> Go to <JDK>/conf/security/java.security file.
3.2-> change the JSSE proper as follows
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{ALL};
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=sun.security.provider.Sun
3.3 -> change the Default keystore type to BCFKS
keystore.type=BCFKS
3.4 -> Change the default key and trust manager factory algorithms as follows
ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX
4-> Run the HttpsURLConnectionTest it will throw the exception.
- backported by
-
JDK-8263100 HttpsURLConnection does not work with other JSSE provider.
- Resolved