Details
-
Bug
-
Resolution: Fixed
-
P3
-
1.4.0
-
None
-
1.0.3
-
generic
-
generic
Backports
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2110183 | 1.4.1 | Andreas Sterbenz | P3 | Resolved | Fixed | hopper |
Description
As part of 4529515 we changed X509TrustManagerImpl to treat all extensions the same way regardless of whether they are critical. This follows the most recent X.509 and PKIX specs, but is different from slightly older versions of those specs, in particular regarding the interpretation of the extended key usage extension.
Brad found that the Verisign issued certificate used by banking.wellsfargo.com includes a non-critical extended key usage extension that specifies server gated crypto but not TLS server authentication. The effect is that our new X509TM rejects the certificate. Apparently Verisign has issued such certificates as recently as February 1st, 2002 (https://zvinet.creditanstalt.co.at).
In order to ensure maximum interoperability, we should revert to the previous behavior, at least for the extended key usage extension. Once CAs start issuing certificates conforming to the new standard, we should reevaluate this decision.
Brad found that the Verisign issued certificate used by banking.wellsfargo.com includes a non-critical extended key usage extension that specifies server gated crypto but not TLS server authentication. The effect is that our new X509TM rejects the certificate. Apparently Verisign has issued such certificates as recently as February 1st, 2002 (https://zvinet.creditanstalt.co.at).
In order to ensure maximum interoperability, we should revert to the previous behavior, at least for the extended key usage extension. Once CAs start issuing certificates conforming to the new standard, we should reevaluate this decision.
Attachments
Issue Links
- backported by
-
JDK-2110183 X509TrustManagerImpl rejects certificate from banking.wellsfargo.com
-
- Resolved
-