On Fri, 5 Jul 2024 08:58:03 GMT, Prajwal Kumaraswamy <pkumarasw...@openjdk.org> wrote:
> The client identity checks when "HTTPS" endpoint identification algorithm is > set on SSL server throws "java.security.cert.CertificateException: No subject > alternative names present" when client certificate's SubjectAltName extension > does not match its IP address > > Since the server has no external knowledge of what the client's identity > ought to be, HTTPS identity checks must be disabled on the server side. > The exception message has been fixed to indicate the same. > > I have performed the test both on SSL Server Engine and SSL Server Socket and > attached are logs and snapshot for reference, also I have ran the changes > against external test suite and test runs are green. I have a general question about this fix. Does it ever make sense for a server to call `SSLParameters.setEndpointIdentification` with a value of "HTTPS"? If not, then it probably makes sense to detect this error situation earlier and throw an Exception, preferably before the TLS handshake even starts. @bradfordwetmore Any thoughts on this one? ------------- PR Comment: https://git.openjdk.org/jdk/pull/20048#issuecomment-2211059594
