archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 07:14:30 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled

Browse source 
Reviewed-by: weijun
This commit is contained in:
Xue-Lei Andrew Fan 2022-02-03 06:28:19 +00:00
parent a46307a79d
commit a95ee5ada2
4 changed files with 616 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/java.base/share/classes/sun/security/ssl/Utilities.java
View file

@ -101,14 +101,19 @@ final class Utilities {
* not look like a FQDN
*/
private static SNIHostName rawToSNIHostName(String hostname) {
SNIHostName sniHostName = null;
// Is it a Fully-Qualified Domain Names (FQDN) ending with a dot?
if (hostname != null && hostname.endsWith(".")) {
// Remove the ending dot, which is not allowed in SNIHostName.
hostname = hostname.substring(0, hostname.length() - 1);
}
if (hostname != null && hostname.indexOf('.') > 0 &&
!hostname.endsWith(".") &&
!IPAddressUtil.isIPv4LiteralAddress(hostname) &&
!IPAddressUtil.isIPv6LiteralAddress(hostname)) {
try {
sniHostName = new SNIHostName(hostname);
return new SNIHostName(hostname);
} catch (IllegalArgumentException iae) {
// don't bother to handle illegal host_name
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
@ -118,7 +123,7 @@ final class Utilities {
}
}
return sniHostName;
return null;
}
/**

6
src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java
View file

@ -404,6 +404,12 @@ final class X509TrustManagerImpl extends X509ExtendedTrustManager
boolean identifiable = false;
String peerHost = session.getPeerHost();
// Is it a Fully-Qualified Domain Names (FQDN) ending with a dot?
if (peerHost != null && peerHost.endsWith(".")) {
// Remove the ending dot, which is not allowed in SNIHostName.
peerHost = peerHost.substring(0, peerHost.length() - 1);
}
if (!checkClientTrusted) {
List<SNIServerName> sniNames = getRequestedServerNames(session);
String sniHostName = getHostNameInSNI(sniNames);