When establishing a TLS connection, in order to maintain compatibility with Node, we first negotiate the connection, and then manually check the certificate's validity by calling X509TrustManager.check[Client|Server]Trusted, with the argument "RSA."
However, the trust manager actually supports all kinds of verification parameters, and "RSA" is not the right choice in all cases. (And the Java docs are completely un-helpful here -- only the source tells us anything.)
The answer is to check the name of the cipher suite that was negotiated and use part of that, so that we use "RSA," or "ECDHE_ECDSA", and many other choices depending on the suite.
The result of this bug is that Trireme was not able to connect to "graph.facebook.com."
When establishing a TLS connection, in order to maintain compatibility with Node, we first negotiate the connection, and then manually check the certificate's validity by calling X509TrustManager.check[Client|Server]Trusted, with the argument "RSA."
However, the trust manager actually supports all kinds of verification parameters, and "RSA" is not the right choice in all cases. (And the Java docs are completely un-helpful here -- only the source tells us anything.)
The answer is to check the name of the cipher suite that was negotiated and use part of that, so that we use "RSA," or "ECDHE_ECDSA", and many other choices depending on the suite.
The result of this bug is that Trireme was not able to connect to "graph.facebook.com."