Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8065553

Failed Java web start via IPv6 (Java7u71 or later)

    Details

    • Subcomponent:
    • Resolved In Build:
      b10
    • CPU:
      x86
    • OS:
      windows_7

      Backports

        Description

        FULL PRODUCT VERSION :
        C:\Users\Adminuser7>java -version
        java version "1.7.0_71"
        Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
        Java HotSpot(TM) Client VM (build 24.71-b01, mixed mode, sharing)

        ADDITIONAL OS VERSION INFORMATION :
        Windows7 professional SP1

        A DESCRIPTION OF THE PROBLEM :
        I tried to access java web start via IPv6 address. I got .jnlp , but could not get .jar file. The exception is:

        Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 2001:db8::1:1:0:1 found
        at sun.security.util.HostnameChecker.matchIP(Unknown Source)

        This exception maybe cause here.
        /**
        * Check if the certificate allows use of the given IP address.
        *
        * From RFC2818:
        * In some cases, the URI is specified as an IP address rather than a
        * hostname. In this case, the iPAddress subjectAltName must be present
        * in the certificate and must exactly match the IP in the URI.
        */
        private static void matchIP(String expectedIP, X509Certificate cert)
            throws CertificateException {
            Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
            if (subjAltNames == null) {
                throw new CertificateException
                          ("No subject alternative names present");
            }
            for (List<?> next : subjAltNames) {
                // For IP address, it needs to be exact match
                if (((Integer)next.get(0)).intValue() == ALTNAME_IP) {
                    String ipAddress = (String)next.get(1);
                    if (expectedIP.equalsIgnoreCase(ipAddress)) {
                        return;
                       }
                   }
             }
             throw new CertificateException("No subject alternative " +
                        "names matching " + "IP address " +
                         expectedIP + " found");
        }

        I think failed compare "if (expectedIP.equalsIgnoreCase(ipAddress)) {".
        expectedIP is abbrevation ipv6 format, but ipAddress is non-abbrevation ipv6 format. As a result, the compare is failed if the ipv6 address is the same.

        So, I changed the ip address and subject altnames from 2001:db8::1:1:0:1 to 1111:2222:3333:4444:aaaa:bbbb:cccc:dddd(non-abbrevation address) and it does work!




        REPRODUCIBILITY :
        This bug can be reproduced always.

        CUSTOMER SUBMITTED WORKAROUND :
        1. Access by host name.
        2. Use non-abbrevation ipv6 address

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  robm Robert Mckenna
                  Reporter:
                  webbuggrp Webbug Group
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Due:
                    Created:
                    Updated:
                    Resolved: