endpoint identification algorithm, only in "1.2"?

Bernd Eckenfels ecki at zusammenkunft.net
Wed Oct 8 23:06:34 UTC 2014


Hello,

the JCE algorithm specification

http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html

states for TLS:

"... The Java SE 7 release supports endpoint identification algorithms
for TLS 1.2. The algorithm name can be passed to the
setEndpointIdentificationAlgorithm() method of
javax.net.ssl.SSLParameters...."

If I read the source* right, and especially since this would be a rather
strange thing if it does not, the actual hostname verification is done
regardless of the actual TLS protocol. So I think the "TLS 1.2" in the
above text refers to the TLSv1.2/SunJSSE protocol/provider, not the
actual negotiated protocol level, right?


If I use an unknown algorithm, the verifier will fail with
CertificateException. I think this will trigger a registered
HostnameVerifyer (so far so good). But this does mean it also does not
to chain checking and trustsstore, right? (so I better customize the
ExtendedX509TrustManager for checks in addition to the normal checks,
right?


*
  http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/21568031434d/src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java#l454

  Greetings
Bernd


More information about the security-dev mailing list