Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8200351

jdk.incubator.http seems not have the capablity to perform hostname verification on HTTPS

    Details

    • Subcomponent:
    • CPU:
      x86_64
    • OS:
      linux

      Description

      FULL PRODUCT VERSION :
      java version "9.0.4"
      Java(TM) SE Runtime Environment (build 9.0.4+11)
      Java HotSpot(TM) 64-Bit Server VM (build 9.0.4+11, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Linux xxx 2.6.32-573.el6.x86_64 #1 SMP Thu Jul 23 15:44:03 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

      CentOS release 6.7 (Final)

      A DESCRIPTION OF THE PROBLEM :
      The SSL server certificate used at 'https://blogs.oracle.com/' does not contain the IP address in the subject DN nor subject alternative name.
      Therefor, TLS handshake is expected to fail if an IP address is specified as target host.

      I believe javax.net.ssl.SSLParameters#setEndpointIdentificationAlgorithm("HTTPS") enables hostname verification function on SSLSocket, and expect SSLException is thrown, but RuntimeException/NullPointerException is thrown.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      run the code attached in 'Source code for an executable test case:' on JDK/JRE 9:


      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      An Exception indicates TLS handshake fails, such as 'SSLException: hostname in certificate didn't match', is thrown at 'HttpClient#send()'
      ACTUAL -
      An Exception not indicates TLS handshake fails is thrown.


      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      java.lang.RuntimeException: Delegated task threw Exception/Error
      at java.base/sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1594)
      at java.base/sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:497)
      at java.base/sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:745)
      at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:680)
      at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626)
      at jdk.incubator.httpclient/jdk.incubator.http.AsyncSSLDelegate.unwrapBuffer(AsyncSSLDelegate.java:476)
      at jdk.incubator.httpclient/jdk.incubator.http.AsyncSSLDelegate.handshakeReceiveAndUnWrap(AsyncSSLDelegate.java:395)
      at jdk.incubator.httpclient/jdk.incubator.http.AsyncSSLDelegate.doHandshakeImpl(AsyncSSLDelegate.java:294)
      at jdk.incubator.httpclient/jdk.incubator.http.AsyncSSLDelegate.doHandshakeNow(AsyncSSLDelegate.java:262)
      at jdk.incubator.httpclient/jdk.incubator.http.AsyncSSLDelegate.connect(AsyncSSLDelegate.java:233)
      at jdk.incubator.httpclient/jdk.incubator.http.AsyncSSLConnection.connect(AsyncSSLConnection.java:78)
      at jdk.incubator.httpclient/jdk.incubator.http.Http2Connection.<init>(Http2Connection.java:272)
      at jdk.incubator.httpclient/jdk.incubator.http.Http2ClientImpl.getConnectionFor(Http2ClientImpl.java:108)
      at jdk.incubator.httpclient/jdk.incubator.http.ExchangeImpl.get(ExchangeImpl.java:86)
      at jdk.incubator.httpclient/jdk.incubator.http.Exchange.establishExchange(Exchange.java:257)
      at jdk.incubator.httpclient/jdk.incubator.http.Exchange.responseImpl0(Exchange.java:268)
      at jdk.incubator.httpclient/jdk.incubator.http.Exchange.responseImpl(Exchange.java:245)
      at jdk.incubator.httpclient/jdk.incubator.http.Exchange.response(Exchange.java:121)
      at jdk.incubator.httpclient/jdk.incubator.http.MultiExchange.response(MultiExchange.java:154)
      at jdk.incubator.httpclient/jdk.incubator.http.HttpClientImpl.send(HttpClientImpl.java:234)
      at test.httpclient.HostnameVerificationTest.get(HostnameVerificationTest.java:41)
      at test.httpclient.HostnameVerificationTest.run(HostnameVerificationTest.java:22)
      at test.httpclient.HostnameVerificationTest.main(HostnameVerificationTest.java:16)
      Caused by: java.lang.NullPointerException
      at java.base/sun.net.util.IPAddressUtil.textToNumericFormatV4(IPAddressUtil.java:49)
      at java.base/sun.net.util.IPAddressUtil.isIPv4LiteralAddress(IPAddressUtil.java:241)
      at java.base/sun.security.util.HostnameChecker.isIpAddress(HostnameChecker.java:139)
      at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:97)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:481)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:456)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:296)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:145)
      at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1952)
      at java.base/sun.security.ssl.ClientHandshaker.certificateStatus(ClientHandshaker.java:1798)
      at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:276)
      at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1092)
      at java.base/sun.security.ssl.Handshaker$1.run(Handshaker.java:1031)
      at java.base/sun.security.ssl.Handshaker$1.run(Handshaker.java:1028)
      at java.base/java.security.AccessController.doPrivileged(Native Method)
      at java.base/sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1534)
      at jdk.incubator.httpclient/jdk.incubator.http.AsyncSSLDelegate.lambda$handshakeReceiveAndUnWrap$1(AsyncSSLDelegate.java:413)
      at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1494)
      at java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:591)
      at jdk.incubator.httpclient/jdk.incubator.http.AsyncSSLDelegate.handshakeReceiveAndUnWrap(AsyncSSLDelegate.java:413)
      ... 16 more

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      package test.httpclient;

      import java.net.URI;

      import javax.net.ssl.SSLContext;
      import javax.net.ssl.SSLParameters;

      import jdk.incubator.http.HttpClient;
      import jdk.incubator.http.HttpRequest;
      import jdk.incubator.http.HttpResponse;
      import jdk.incubator.http.HttpResponse.BodyHandler;

      public class HostnameVerificationTest {

      public static void main(String[] args) {
      (new HostnameVerificationTest()).run();
      }

      private void run() {
      try {
      //get("https://blogs.oracle.com/java/jdk-http-client");
      get("https://23.2.131.192/java/jdk-http-client");
      } catch (Exception e) {
      e.printStackTrace();
      }
      }

      public void get(String uri) throws Exception {
      SSLParameters sslparams = SSLContext.getDefault().getDefaultSSLParameters();
      sslparams.setEndpointIdentificationAlgorithm("HTTPS");

      HttpClient client = HttpClient.newBuilder()
      .sslParameters(sslparams)
      .build();
      HttpRequest request = HttpRequest.newBuilder()
      .uri(URI.create(uri))
      .GET()
      .build();

      HttpResponse<String> response =
      client.send(request, BodyHandler.asString());

      System.out.println("status = " + response.statusCode());
      }

      }


      ---------- END SOURCE ----------

        Attachments

          Activity

            People

            • Assignee:
              michaelm Michael McMahon
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: