Skip to content

Enable HTTPS endpoint identification in JsseSslEngineFactory#2243

Open
hyperxpro wants to merge 1 commit into
mainfrom
jsse-endpoint-identification
Open

Enable HTTPS endpoint identification in JsseSslEngineFactory#2243
hyperxpro wants to merge 1 commit into
mainfrom
jsse-endpoint-identification

Conversation

@hyperxpro

Copy link
Copy Markdown
Member

Motivation

JsseSslEngineFactory creates the SSLEngine using sslContext.createSSLEngine(host, port) but only enables client mode via setUseClientMode(true). It never configures endpoint identification, so a JDK SSLEngine does not verify the server hostname during the TLS handshake. As a result, any certificate signed by a trusted CA is accepted regardless of the requested hostname, leaving the connection vulnerable to man-in-the-middle attacks. DefaultSslEngineFactory correctly enables hostname verification.

This regression was introduced in #2104, which removed the shared setEndpointIdentificationAlgorithm("HTTPS") call from configureSslEngine() and restored it only in DefaultSslEngineFactory, unintentionally leaving the pure JSSE path (used with a user-supplied JDK SSLContext) without hostname verification.

Modification

Update JsseSslEngineFactory.newSslEngine() to configure the engine's SSLParameters with setEndpointIdentificationAlgorithm("HTTPS"), unless config.isDisableHttpsEndpointIdentificationAlgorithm() is enabled. This matches the behavior of DefaultSslEngineFactory while preserving the documented opt-out.

Result

Connections created through JsseSslEngineFactory with a custom JDK SSLContext now perform hostname verification during the TLS handshake, matching the default implementation. Existing opt-out behavior remains unchanged, and the DefaultSslEngineFactory path is unaffected.

A JDK SSLEngine does not verify the peer hostname unless the endpoint
identification algorithm is set, so JsseSslEngineFactory accepted a
certificate valid for any host. DefaultSslEngineFactory already enables it.
Set it here too, honoring disableHttpsEndpointIdentificationAlgorithm, so a
custom JDK SSLContext no longer silently loses hostname verification.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant