-
Type:
Sub-task
-
Resolution: Withdrawn
-
Priority:
P4
-
Affects Version/s: None
-
Component/s: security-libs
When endpoint identification algorithm is set to "HTTPS" on SSL Server using the method `setEndpointIdentificationAlgorithm()` and SubjectAltName extension of client certificate does not match it's IP address, then one of the below exceptions can be thrown
1. java.security.cert.CertificateException: No subject alternative names present
2. java.security.cert.CertificateException: No subject alternative names matching IP address <clientIP> found
Typically, the server has no external knowledge of what the client's identity ought to be and hence identity checks are not possible (other than that the client has a certificate chain rooted in an appropriate CA).
The exception messages has been changed to `java.security.cert.CertificateException: Endpoint Identification Algorithm HTTPS is not supported on the server side` indicating "HTTPS" endpoint identification algorithm must be disabled and is not valid on the server side.
1. java.security.cert.CertificateException: No subject alternative names present
2. java.security.cert.CertificateException: No subject alternative names matching IP address <clientIP> found
Typically, the server has no external knowledge of what the client's identity ought to be and hence identity checks are not possible (other than that the client has a certificate chain rooted in an appropriate CA).
The exception messages has been changed to `java.security.cert.CertificateException: Endpoint Identification Algorithm HTTPS is not supported on the server side` indicating "HTTPS" endpoint identification algorithm must be disabled and is not valid on the server side.