Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4652901

X509TrustManagerImpl rejects certificate from banking.wellsfargo.com

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 1.4.0
    • Fix Version/s: 1.0.3
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Resolved In Build:
      1.0.3
    • CPU:
      generic
    • OS:
      generic

      Backports

        Description

        As part of 4529515 we changed X509TrustManagerImpl to treat all extensions the same way regardless of whether they are critical. This follows the most recent X.509 and PKIX specs, but is different from slightly older versions of those specs, in particular regarding the interpretation of the extended key usage extension.

        Brad found that the Verisign issued certificate used by banking.wellsfargo.com includes a non-critical extended key usage extension that specifies server gated crypto but not TLS server authentication. The effect is that our new X509TM rejects the certificate. Apparently Verisign has issued such certificates as recently as February 1st, 2002 (https://zvinet.creditanstalt.co.at).

        In order to ensure maximum interoperability, we should revert to the previous behavior, at least for the extended key usage extension. Once CAs start issuing certificates conforming to the new standard, we should reevaluate this decision.

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                andreas Andreas Sterbenz
                Reporter:
                andreas Andreas Sterbenz
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: