An application that uses SSL runs fine under JDK 1.6.0_07 fails on 1.6.0_10, with the error "java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found".  As far as I can tell, this means certificate client hostname checking in _10 is broken.

I've subclassed X509ExtendedTrustManager and overridden the following method and added code to print out the "hostname" parameter:

    public void checkClientTrusted(X509Certificate chain[],
      String authType, String hostname, String algorithm)

The SSL debugging trace for _10 is below, the first line is from the 'println' described above.

On _07 this prints "localhost", on _10 it prints "127.0.0.1".  The certificate contains a Subject Alternative Name DNS entry for "localhost", but not an IP entry, so the verification fails on _10 because the "hostname" parameter is being passed incorrectly as the IP address.

----------

hostname: 127.0.0.1

Found  customer  certificate:
[
[
  Version: V3
  Subject: CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=LH
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  SunPKCS11-Solaris RSA public key, 1024 bits (id 141872840, session  customer )
  modulus: 109777218937388701784579687142656553341258321638585627485175050314459183201332477916460154772991397177884180777647990110004231594570592744683000156387973919408665778569055470325764510541090702915175442409277089172259451334766955930833463434056218955943049848174218012553219322334089538187179486760641341890673
  public exponent: 65537
  Validity: [From: Wed Dec 12 21:23:40 GMT 2007,
               To: Tue Dec 11 21:23:40 GMT 2012]
  Issuer: CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=LH
  SerialNumber: [    d790f9d4 fda5a41f]

Certificate Extensions: 9
[1]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: localhost
  RFC822Name:   xxxxx@xxxxx  
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 21 A5 8E AF 58 A0 CF A1   49 43 67 5B AD CB F8 EF  !...X...ICg[....
0010: 3E 6F CC 43                                        >o.C
]

[CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=LH]
SerialNumber: [    d790f9d4 fda5a41f]
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 21 A5 8E AF 58 A0 CF A1   49 43 67 5B AD CB F8 EF  !...X...ICg[....
0010: 3E 6F CC 43                                        >o.C
]
]

[4]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 24 16 22 4F 70 65 6E   53 6F 6C 61 72 69 73 2E  .$."OpenSolaris.
0010: 6F 72 67 20 43 6C 69 65   6E 74 20 43 65 72 74 69  org Client Certi
0020: 66 69 63 61 74 65                                  ficate


[5]: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
  DNSName: localhost
  RFC822Name:   xxxxx@xxxxx  
]

[6]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
]

[7]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[8]: ObjectId: 2.5.29.37 Criticality=true
ExtendedKeyUsages [
  clientAuth
]

[9]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 3B E1 09 78 7A FB 9E D8   17 B9 0C E0 FE 59 E6 5E  ;..xz........Y.^
0010: 35 70 85 CE B6 1F AD DD   17 13 60 CC BE 9F D6 53  5p........`....S
0020: 33 B1 1E 43 A5 9E 21 A0   52 21 A1 C2 DA 32 75 94  3..C..!.R!...2u.
0030: 78 A3 7C 07 85 8C 80 AA   AD 08 6E B5 56 47 4B EF  x.........n.VGK.
0040: D3 68 19 57 2E C6 71 3F   3A FE EA AA D0 7E BF 84  .h.W..q?:.......
0050: 00 2F D1 1E 48 A2 46 92   EA 63 1F F7 77 92 BB 23  ./..H.F..c..w..#
0060: 92 A0 12 24 5D EE 8A B4   D6 26 D4 98 84 36 F9 09  ...$]....&...6..
0070: FA 3D D3 73 E0 CE 58 9B   E6 64 8E FC DE 8F 27 5F  .=.s..X..d....'_

]
XML-RPC Weblistener, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
XML-RPC Weblistener, WRITE: TLSv1 Alert, length = 2
XML-RPC Weblistener, called closeSocket()
XML-RPC Weblistener, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
XML-RPC Weblistener, called close()
XML-RPC Weblistener, called closeInternal(true)
03 Nov 2008 12:52:39,421 ERROR java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
        at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1253)
        at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:148)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:744)
        at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
        at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
        at java.io.BufferedInputStream.read(BufferedInputStream.java:237)
        at org. customer .xmlrpc.webserver.HttpServletRequestImpl$2.read(HttpServletRequestImpl.java:91)
        at javax.servlet.ServletInputStream.readLine(ServletInputStream.java:94)
        at org. customer .xmlrpc.webserver.HttpServletRequestImpl.readLine(HttpServletRequestImpl.java:167)
        at org. customer .xmlrpc.webserver.HttpServletRequestImpl.<init>(HttpServletRequestImpl.java:103)
        at org. customer .xmlrpc.webserver.ServletConnection.<init>(ServletConnection.java:47)
        at org. customer .xmlrpc.webserver.ServletWebServer.newTask(ServletWebServer.java:142)
        at org. customer .xmlrpc.webserver.WebServer.run(WebServer.java:326)
        at java.lang.Thread.run(Thread.java:619)
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
        at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:155)
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:238)
        at org.opensolaris.auth.ssl.SSLSocketManager$HostnameCheckTrustManager.checkClientTrusted(SSLSocketManager.java:279)
        at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1232)
        ... 17 more
Posted Date : 2008-11-03 14:54:45.0

As a workaround, I would suggest always convert the hostname into a resolved hostname before call the default checkClientTrusted in the customized trust manager,
_hostname_ = InetAddress.getByName(hostname).getHostName();
Or
_hostname_ = InetAddress.getByName(hostname).getCanonicalHostName();

The application enable client identity checking during extending X509ExtendedTrustManager with a fixed identification algorithm, "https", and the bug fix of 6614957 changes the behaviors of how to get a ssl socket host name, cause known.
Posted Date : 2008-11-05 00:59:17.0