Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8136582

JSSE Documentation Error Of Unsafe Server Certificate

    Details

      Description

      In the Java Secure Socket Extension (JSSE) Reference Guide at http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#allowUnsafeCert . In the guide, point #3 is incorrect:

      Server certificate change in an SSL/TLS renegotiation may be unsafe:

         1. if endpoint identification is not enabled in an SSL/TLS handshaking; and
         2. if the previous handshake is a session-resumption abbreviated initial handshake; and
         3. if the identities represented by both certificates can be regarded as the same.

      Point 3 should say:

      3. if the identities represented by both certificates can be regarded as different.

      -- or --

      3. unless the identities represented by both certificates can be regarded as the same.

      Refer to isIdentityEquivalent() at sun/securit/ssl/ClientHandshaker.java

        Attachments

          Activity

            People

            • Assignee:
              ksomerville Kenny Somerville (Inactive)
              Reporter:
              xuelei Xue-Lei Fan
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: