Support QuicheQuicSslEngine hostname identification algorithm.#16426
Merged
normanmaurer merged 2 commits intoMar 11, 2026
Merged
Conversation
Contributor
Author
|
Note : as shown in the comment the default endpoint verification algorithm is not set like it is for regular context We need to figure out what is best for obtain the relevant default. |
normanmaurer
reviewed
Mar 9, 2026
Contributor
Author
|
PTAL @normanmaurer |
Member
|
@vietj please check the test-failures and ping me once ready |
Motivation: QuicheQuicSslEngine does not currently support hostname identification algorithm. Changes: - add configuration for hostname identification algorithm in QuicSslContextBuilder - configure QuicheQuicSslEngine ssl parameters, those parameters are used by X509ExtendedTrustManager#checkTrusted to enforce the algorithm, this is called by BoringSSLCertificateVerifyCallback Results: Hostname verificiation algorithm is configurable and enforced.
vietj
force-pushed
the
quiche-ssl-engine-endpoint-identification-algo
branch
from
3856bd5 to
217f780
Compare
… the same default than SslContextBuilder Motivation: QuicSslContextBuilder#endpointIdentificationAlgorithm should be initialized with the same default than SslContextBuilder Changes: Use a Java visibility trick to make SslUtils#defaultEndpointVerificationAlgorithm visible to QuicSslContextBuilder. Changes: Move SslUtils#endpointIdentificationAlgorithm to SslContext as static package private so it can be referenced by QuicheQuicSslContext.
vietj
force-pushed
the
quiche-ssl-engine-endpoint-identification-algo
branch
from
217f780 to
8f9b144
Compare
Contributor
Author
|
@normanmaurer PTAL, actually now a QUIC test is subject to verification and failed because "HTTPS" is the new default algorithm. The test is modified to create an ssl engine specifying the peer host so verification can operate as expected. |
normanmaurer
added
the
needs-cherry-pick-5.0
Member
|
@vietj thanks a lot! |
netty-project-bot
pushed a commit
that referenced
this pull request
Mar 11, 2026
Motivation: QuicheQuicSslEngine does not currently support hostname identification algorithm. Changes: - add configuration for hostname identification algorithm in QuicSslContextBuilder - configure QuicheQuicSslEngine ssl parameters, those parameters are used by X509ExtendedTrustManager#checkTrusted to enforce the algorithm, this is called by BoringSSLCertificateVerifyCallback Results: Hostname verificiation algorithm is configurable and enforced. (cherry picked from commit 994e887)
Contributor
|
Auto-port PR for 5.0: #16434 |
github-actions
Bot
removed
the
needs-cherry-pick-5.0
normanmaurer
pushed a commit
that referenced
this pull request
Mar 11, 2026
…gorithm. (#16434) Auto-port of #16426 to 5.0 Cherry-picked commit: 994e887 --- Motivation: QuicheQuicSslEngine does not currently support hostname identification algorithm. Changes: - add configuration for hostname identification algorithm in QuicSslContextBuilder - configure QuicheQuicSslEngine ssl parameters, those parameters are used by X509ExtendedTrustManager#checkTrusted to enforce the algorithm, this is called by BoringSSLCertificateVerifyCallback Results: Hostname verificiation algorithm is configurable and enforced. Co-authored-by: Julien Viet <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation:
QuicheQuicSslEngine does not currently support hostname identification algorithm.
Changes:
Results:
Hostname verificiation algorithm is configurable and enforced.