8369950: TLS connection to IPv6 address fails with BCJSSE due to IllegalArgumentException

[sercher]

Hi all,

Let me propose a fix and a test case for JDK-8369950.

The failure reproduces with BCJSSE provider and all implementations of SSLSocket other than SSLSocketImpl.

In the test case an anonymous wrapper is used, over the standard SSLSocketImpl, to simulate an external JSSE provider. The test case shows the same behavior as in BCJSSE (failure due to non-LDH ASCII characters in the SNI host name).

The fix avoids constructing SNIHostName when the URL host name is an IPv4 or IPv6 literal address. Other than that, all other FQDN host names that have invalid characters (non-LDH ASCII characters) still produce that exception.

SNIHostName, as defined in

jdk/src/java.base/share/classes/javax/net/ssl/SNIHostName.java

Lines 44 to 66 in 873f8a6

	* As described in section 3, "Server Name Indication", of
	* <A HREF="http://www.ietf.org/rfc/rfc6066.txt">TLS Extensions (RFC 6066)</A>,
	* "HostName" contains the fully qualified DNS hostname of the server, as
	* understood by the client. The encoded server name value of a hostname is
	* represented as a byte string using ASCII encoding without a trailing dot.
	* This allows the support of Internationalized Domain Names (IDN) through
	* the use of A-labels (the ASCII-Compatible Encoding (ACE) form of a valid
	* string of Internationalized Domain Names for Applications (IDNA)) defined
	* in <A HREF="http://www.ietf.org/rfc/rfc5890.txt">RFC 5890</A>.
	* <P>
	* Note that {@code SNIHostName} objects are immutable.
	*
	* @spec https://www.rfc-editor.org/info/rfc5890
	* RFC 5890: Internationalized Domain Names for Applications (IDNA):
	* Definitions and Document Framework
	* @spec https://www.rfc-editor.org/info/rfc6066
	* RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions
	* @see SNIServerName
	* @see StandardConstants#SNI_HOST_NAME
	*
	* @since 1.8
	*/
	public final class SNIHostName extends SNIServerName {

has the fully qualified DNS hostname of the server. As follows from the section 3, "Server Name Indication", RFC 6066, Literal IPv4 and IPv6 addresses are not permitted in "HostName".

The fix mirrors the behavior of SSLSocketImpl, that avoids constructing the SNIHostName from literal addresses. Please see

jdk/src/java.base/share/classes/sun/security/ssl/Utilities.java

Lines 110 to 116 in 873f8a6

	if (hostname != null && hostname.indexOf('.') > 0 &&
	!hostname.endsWith(".") &&
	!IPAddressUtil.isIPv4LiteralAddress(hostname) &&
	!IPAddressUtil.isIPv6LiteralAddress(hostname)) {
	try {
	return new SNIHostName(hostname);

Testing:

• standard jtreg tests goups showed no regressions
• the new test passes with the fix and fails otherwise
• passes also with BCJSSE in FIPS and standard mode

BCJSSE standard

STDOUT:
STDERR:
Dez. 01, 2025 2:44:02 PM org.bouncycastle.jsse.provider.PropertyUtils getBooleanSecurityProperty
INFORMATION: Found boolean security property [keystore.type.compat]: true
Dez. 01, 2025 2:44:02 PM org.bouncycastle.jsse.provider.PropertyUtils getStringSecurityProperty
INFORMATION: Found string security property [jdk.tls.disabledAlgorithms]: SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, ECDH, TLS_RSA_*, rsa_pkcs1_sha1 usage HandshakeSignature, ecdsa_sha1 usage HandshakeSignature, dsa_sha1 usage HandshakeSignature
Dez. 01, 2025 2:44:02 PM org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints create
WARNUNG: Ignoring unsupported entry in 'jdk.tls.disabledAlgorithms': rsa_pkcs1_sha1 usage HandshakeSignature
Dez. 01, 2025 2:44:02 PM org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints create
WARNUNG: Ignoring unsupported entry in 'jdk.tls.disabledAlgorithms': ecdsa_sha1 usage HandshakeSignature
Dez. 01, 2025 2:44:02 PM org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints create
WARNUNG: Ignoring unsupported entry in 'jdk.tls.disabledAlgorithms': dsa_sha1 usage HandshakeSignature
Dez. 01, 2025 2:44:02 PM org.bouncycastle.jsse.provider.PropertyUtils getStringSecurityProperty
INFORMATION: Found string security property [jdk.certpath.disabledAlgorithms]: MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, SHA1 usage SignedJAR & denyAfter 2019-01-01
Dez. 01, 2025 2:44:02 PM org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints create
WARNUNG: Ignoring unsupported entry in 'jdk.certpath.disabledAlgorithms': SHA1 jdkCA & usage TLSServer
Dez. 01, 2025 2:44:02 PM org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints create
WARNUNG: Ignoring unsupported entry in 'jdk.certpath.disabledAlgorithms': SHA1 usage SignedJAR & denyAfter 2019-01-01
Dez. 01, 2025 2:44:02 PM org.bouncycastle.jsse.provider.ProvTlsServer notifyHandshakeBeginning
INFORMATION: [server #1 @193b6d73] accepting connection from 0:0:0:0:0:0:0:1:56197
Dez. 01, 2025 2:44:03 PM org.bouncycastle.jsse.provider.ProvTlsServer notifyHandshakeComplete
INFORMATION: [server #1 @193b6d73] established connection with 0:0:0:0:0:0:0:1:56197
Dez. 01, 2025 2:44:08 PM org.bouncycastle.jsse.provider.ProvTlsServer notifyConnectionClosed
INFORMATION: [server #1 @193b6d73] disconnected from 0:0:0:0:0:0:0:1:56197
STATUS:Passed.

BCJSSE FIPS

STDOUT:
STDERR:
Dez. 01, 2025 2:41:32 PM org.bouncycastle.jsse.provider.PropertyUtils getBooleanSecurityProperty
INFORMATION: Found boolean security property [keystore.type.compat]: true
Dez. 01, 2025 2:41:32 PM org.bouncycastle.jsse.provider.PropertyUtils getStringSecurityProperty
INFORMATION: Found string security property [jdk.tls.disabledAlgorithms]: SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, ECDH, TLS_RSA_*, rsa_pkcs1_sha1 usage HandshakeSignature, ecdsa_sha1 usage HandshakeSignature, dsa_sha1 usage HandshakeSignature
Dez. 01, 2025 2:41:32 PM org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints create
WARNUNG: Ignoring unsupported entry in 'jdk.tls.disabledAlgorithms': rsa_pkcs1_sha1 usage HandshakeSignature
Dez. 01, 2025 2:41:32 PM org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints create
WARNUNG: Ignoring unsupported entry in 'jdk.tls.disabledAlgorithms': ecdsa_sha1 usage HandshakeSignature
Dez. 01, 2025 2:41:32 PM org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints create
WARNUNG: Ignoring unsupported entry in 'jdk.tls.disabledAlgorithms': dsa_sha1 usage HandshakeSignature
Dez. 01, 2025 2:41:32 PM org.bouncycastle.jsse.provider.PropertyUtils getStringSecurityProperty
INFORMATION: Found string security property [jdk.certpath.disabledAlgorithms]: MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, SHA1 usage SignedJAR & denyAfter 2019-01-01
Dez. 01, 2025 2:41:32 PM org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints create
WARNUNG: Ignoring unsupported entry in 'jdk.certpath.disabledAlgorithms': SHA1 jdkCA & usage TLSServer
Dez. 01, 2025 2:41:32 PM org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints create
WARNUNG: Ignoring unsupported entry in 'jdk.certpath.disabledAlgorithms': SHA1 usage SignedJAR & denyAfter 2019-01-01
Dez. 01, 2025 2:41:32 PM org.bouncycastle.jsse.provider.ProvTlsServer notifyHandshakeBeginning
INFORMATION: [server #1 @4d1e9767] accepting connection from 0:0:0:0:0:0:0:1:56184
Dez. 01, 2025 2:41:32 PM org.bouncycastle.jsse.provider.ProvTlsServer notifyHandshakeComplete
INFORMATION: [server #1 @4d1e9767] established connection with 0:0:0:0:0:0:0:1:56184
Dez. 01, 2025 2:41:37 PM org.bouncycastle.jsse.provider.ProvTlsServer notifyConnectionClosed
INFORMATION: [server #1 @4d1e9767] disconnected from 0:0:0:0:0:0:0:1:56184
STATUS:Passed.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8369950: TLS connection to IPv6 address fails with BCJSSE due to IllegalArgumentException (Bug - P4)

Reviewers

• Daniel Jeliński (@djelinski - Reviewer)
• Daniel Fuchs (@dfuch - Reviewer) Review applies to 7d1a9032
• Mikhail Yankelevich (@myankelev - Committer) Review applies to 44ed7ddb
• Volkan Yazici (@vy - Committer)

Contributors

• Mikhail Yankelevich <myankelevich@openjdk.org>

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/28577/head:pull/28577
$ git checkout pull/28577

Update a local copy of the PR:
$ git checkout pull/28577
$ git pull https://git.openjdk.org/jdk.git pull/28577/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 28577

View PR using the GUI difftool:
$ git pr show -t 28577

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/28577.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back schernyshev! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@sercher This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8369950: TLS connection to IPv6 address fails with BCJSSE due to IllegalArgumentException

Co-authored-by: Mikhail Yankelevich <myankelevich@openjdk.org>
Reviewed-by: djelinski, vyazici, dfuchs, myankelevich

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 161 new commits pushed to the master branch:

• 5f083ab: 8179918: EnumSet spliterator should report SORTED, ORDERED, NONNULL
• b0f59f6: 8373127: Update nsk/monitoring tests to support virtual thread factory testing
• 2596608: 8370846: Support execution of mlvm testing with test thread factory
• ... and 158 more: https://git.openjdk.org/jdk/compare/d350158e060c01acf49759dcbdd1f4d72530111b...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@djelinski, @dfuch, @myankelev, @vy) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[openjdk]

@sercher The following labels will be automatically applied to this pull request:

• net
• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 06: Full - Incremental (36c08741)
• 05: Full - Incremental (f1067afd)
• 04: Full - Incremental (5c78ce2c)
• 03: Full - Incremental (44ed7ddb)
• 02: Full - Incremental (fdd0133d)
• 01: Full - Incremental (c388c253)
• 00: Full (7d1a9032)

[djelinski]

LGTM. Thanks!

[dfuch]

Please make sure to run tier2 before integrating.

[sercher]

LGTM. Thanks!

@djelinski Thank you for review!

[sercher]

Please make sure to run tier2 before integrating.

@dfuch Thanks Daniel. The new test is in tier2, so far it passes in macOS and Linux. Windows takes more time with tier2...

[sercher]

/integrate

[openjdk]

@sercher
Your change (at version 7d1a903) is now ready to be sponsored by a Committer.

[jaikiran]

Hello Sergey, the copyright year on HttpsClient will need an update from 2001, 2024, to 2001, 2025,

[jaikiran]

The host value here comes from URL.getHost() which specifies that it returns an IPv6 address enclosed in []brackets. So what you have here looks fine to me.

One additional thing I would suggest is to make this protected String host field of this class final. It currently gets assigned in the constructor of the HttpClient and HttpsClient and making this final would give an extra assurance that its value will always be coming from URL.getHost() call.

These 2 sun.net.www.http.HttpClient and HttpsClient classes are internal to the JDK, so changing this protected field to final shouldn't cause any issues for application code.

[sercher]

@jaikiran I think this deserves a separate issue. I could file a bug for this.

[jaikiran]

Yes, it's OK with me if you don't change this field to final in this PR.

[jaikiran]

I am not too familiar with these style of tests, but it looks like there are several similar ones in the javax/net/ssl area. Would you know if these comments are still accurate and up to date? In other words, do we need these comments in this test?

[djelinski]

Let's clean this up in a follow-up PR. There's 60+ files with the same comment.

[jaikiran]

Yes, doing this as a separate PR is fine with me.

[sercher]

@jaikiran Let me clean up the comments that are not anymore accurate in this particular PR. I personally try to avoid this type of changes that only touch the whitespace or comments blocks, including the copyright header ones, because they increase the number of connections between unrelated changes, that makes the fix less portable.

[jaikiran]

@sercher, it's OK if you leave the test in the current form. Just fixing the @summary test on the test definition should be enough. I have spoken to others and the agreement is that since we already have similar tests in this area, it probably is a better thing to let this test stay in this manner instead of devicing some new way to test this. Sorry about the previous guidance to update these test comments.

[jaikiran]

Is the sleep() necessary for this test?

[djelinski]

Again, copy/paste. Deserves a separate PR to clean up.

[jaikiran]

Are these if/else blocks needed or could we simplify the test to just expect the server and client to run as separate threads?

[jaikiran]

I spoke to Daniel and I agree with him that it's OK to leave this in current form and if needed clean up as a follow up when doing the same for the rest of these tests.

[jaikiran]

Nit - as per the jtreg tag order recommendation, the @summary should come before the @library https://openjdk.org/jtreg/tag-spec.html#ORDER

[jaikiran]

Also, this test doesn't exercise the BouncyCastle provider. Would it be better to change this line to say:

@summary Test that the HttpsURLConnection does not set IPv6 address literals for SNI hostname during TLS handshake

[sercher]

Nit - as per the jtreg tag order recommendation, the @summary should come before the @library https://openjdk.org/jtreg/tag-spec.html#ORDER

Thanks @jaikiran , i will update the order and the summary text. The BouncyCastle came here from the title of the issue.

[sercher]

Hello Sergey, the copyright year on HttpsClient will need an update from 2001, 2024, to 2001, 2025,

Thanks @jaikiran. That's correct. I will update the headers.

[vy]

Copyright year needs a bump.

[vy]

There is one more place in sun.net.www, which is in this very class, that

(host.charAt(0) == '[' && host.charAt(host.length() - 1) == ']') { return host.substring(1, host.length() - 1)

logic is practiced. Would it make sense to refactor this into a private static Optional<String> ipv6FromHost(String host) method, preferably with some short explanation in the method's Javadoc on why we do this?

[dfuch]

The same thought occurred to me but I'd rather keep refactoring at a minimum in this PR.

[myankelev]

Just a few minor comments

[myankelev]

Suggested change

	URL url = new URL("https://[::1]:" + serverPort + "/index.html");
	URL url =
	new URI("https://[::1]:" + serverPort + "/index.html").toURL();

[sercher]

I think the block is better readable without it.

[myankelev]

It's deprecated since version 20 I think

[sercher]

Ahh, ok, i read it wrong, apologies. URI is the modern one, exactly.

[myankelev]

Nit: could you please keep the lines under 80 characters long. There are a few instances in this file

[sercher]

ok.

[myankelev]

Do you think it might be better to call doClientSide here directly?

[sercher]

ok, accepted.

[myankelev]

I think this might be better to make this a CountDownLatch

[sercher]

ok, accepted.

[myankelev]

Suggested change

	serverThread = new Thread() {
	serverThread = new Thread(() -> {

What do you think?

[sercher]

This makes sense. I will add it manually in a single commit.

[sercher]

/contributor add @myankelev

[openjdk]

@sercher
Contributor Mikhail Yankelevich <myankelevich@openjdk.org> successfully added.

[myankelev]

Thanks for considering me as a contributor to this ticket! I really appreciate it.
I personally feel that my suggestions weren't extensive enough to require adding me as a contributor, so there is need for it unless you think it's appropriate.

Overall the ticket looks good, thank you for your updates!

[sercher]

@myankelev Thank you for in-depth review.

[djelinski]

Now that you removed the Thread.sleep, you can't close the socket without reading the request off the input stream; it will cause intermittent connection reset failures on Windows. You can use the readOneRequest method.

[sercher]

Thanks @djelinski for spotting this. Added the method.

[vy]

Since we also test against IPv4, I'd remove the mention of IPv6 from the class name (e.g., SubjectAltNameIP) and @summary.

[sercher]

Thanks, done.

[vy]

Shall we first assert that clientSSLSocket == null before assignment?

[sercher]

The method doClientSide() is called from constructor, the clientSSLSocket is non-static and was set to null. Therefore, it's the only assignment of clientSSLSocket per instance. Or do you mean the check must be in the the lambda-expr?

[vy]

I mean something like:

Suggested change

	sslSocket -> clientSSLSocket = sslSocket));
	sslSocket -> {
	assertNull(clientSSLSocket);
	clientSSLSocket = sslSocket;
	}));

To avoid double-assignment and eventually causing verification of the wrong value.

[sercher]

I made assertEquals instead, otherwise it shows an incorrect message - it prints the left hand operand as "expected" value, which in the case of assertNull is in the right hand operand.

[vy]

if( sniSN ➝ if (sniSN

[sercher]

Thanks, done.

[sercher]

/integrate

[openjdk]

@sercher
Your change (at version 36c0874) is now ready to be sponsored by a Committer.

[vy]

/sponsor

[openjdk]

Going to push as commit 7da9153.
Since your change was applied there have been 161 commits pushed to the master branch:

• 5f083ab: 8179918: EnumSet spliterator should report SORTED, ORDERED, NONNULL
• b0f59f6: 8373127: Update nsk/monitoring tests to support virtual thread factory testing
• 2596608: 8370846: Support execution of mlvm testing with test thread factory
• ... and 158 more: https://git.openjdk.org/jdk/compare/d350158e060c01acf49759dcbdd1f4d72530111b...master

Your commit was automatically rebased without conflicts.

[openjdk]

@vy @sercher Pushed as commit 7da9153.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.