RFC 6125 and host name verification in Java 7+

Bruno Harbulot bruno at distributedmatter.net
Thu Aug 16 15:26:38 PDT 2012


Hello,

Looking at the Javadoc for X509ExtendedTrustManager, it seems that the
algorithms supported by
SSLParameters.setEndpointIdentificationAlgorithm(...) are "HTTPS" and
"LDAPS". The Javadoc for SSLParameters points to the standard names
and provider documentation, but I can't find any mention of these
algorithms anywhere. Are there any others?

I'm not sure if there is much awareness for it, but there is an RFC
that aims to harmonise the best practices for server name
identification across protocols: RFC 6125, "Representation and
Verification of Domain-Based Application Service Identity within
Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in
the Context of Transport Layer Security (TLS)". (In practice, it's
actually quite close to the HTTPS rules from RFC 2818.)

I'd just like to suggest that further versions of the JDK/JRE could
support an "RFC6125" algorithm in addition to the existing ones, since
it's meant to be independent of the application protocol (perhaps all
this could be enabled by default too, to prevent cases where users
don't verify the host name at all).

Best wishes,

Bruno.



More information about the security-dev mailing list