Skip to content

Enable HTTPS endpoint identification in JsseSslEngineFactory#2243

Merged
hyperxpro merged 1 commit into
mainfrom
jsse-endpoint-identification
Jul 18, 2026
Merged

Enable HTTPS endpoint identification in JsseSslEngineFactory#2243
hyperxpro merged 1 commit into
mainfrom
jsse-endpoint-identification

Conversation

@hyperxpro

Copy link
Copy Markdown
Member

Motivation

JsseSslEngineFactory creates the SSLEngine using sslContext.createSSLEngine(host, port) but only enables client mode via setUseClientMode(true). It never configures endpoint identification, so a JDK SSLEngine does not verify the server hostname during the TLS handshake. As a result, any certificate signed by a trusted CA is accepted regardless of the requested hostname, leaving the connection vulnerable to man-in-the-middle attacks. DefaultSslEngineFactory correctly enables hostname verification.

This regression was introduced in #2104, which removed the shared setEndpointIdentificationAlgorithm("HTTPS") call from configureSslEngine() and restored it only in DefaultSslEngineFactory, unintentionally leaving the pure JSSE path (used with a user-supplied JDK SSLContext) without hostname verification.

Modification

Update JsseSslEngineFactory.newSslEngine() to configure the engine's SSLParameters with setEndpointIdentificationAlgorithm("HTTPS"), unless config.isDisableHttpsEndpointIdentificationAlgorithm() is enabled. This matches the behavior of DefaultSslEngineFactory while preserving the documented opt-out.

Result

Connections created through JsseSslEngineFactory with a custom JDK SSLContext now perform hostname verification during the TLS handshake, matching the default implementation. Existing opt-out behavior remains unchanged, and the DefaultSslEngineFactory path is unaffected.

A JDK SSLEngine does not verify the peer hostname unless the endpoint
identification algorithm is set, so JsseSslEngineFactory accepted a
certificate valid for any host. DefaultSslEngineFactory already enables it.
Set it here too, honoring disableHttpsEndpointIdentificationAlgorithm, so a
custom JDK SSLContext no longer silently loses hostname verification.
@hyperxpro
hyperxpro merged commit e14fc94 into main Jul 18, 2026
29 of 30 checks passed
@hyperxpro
hyperxpro deleted the jsse-endpoint-identification branch July 18, 2026 08:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant