Skip to content

Use InetAddress.getHostString() in WolfSSLSocket.connect() to keep original hostname#374

Merged
rlm2002 merged 1 commit into
wolfSSL:masterfrom
cconlon:preserveConnectHostname
Jun 29, 2026
Merged

Use InetAddress.getHostString() in WolfSSLSocket.connect() to keep original hostname#374
rlm2002 merged 1 commit into
wolfSSL:masterfrom
cconlon:preserveConnectHostname

Conversation

@cconlon

@cconlon cconlon commented Jun 26, 2026

Copy link
Copy Markdown
Member

This PR fixes SNI and HTTPS endpoint identification for the createSocket() + connect(InetSocketAddress) flow. WolfSSLSocket.connect(SocketAddress) stored the resolved IP as the peer host instead of the original hostname, so hostname verification ran against the IP and failed against certs with DNS SANs.

This PR uses InetSocketAddress.getHostString() instead of getAddress().getHostAddress(), which preserves the application-supplied hostname (no reverse DNS lookup).

Adds testConnectSocketAddressPreservesHostname, covering the two outcomes connect() derives via getHostString() and asserting SSLSession.getPeerHost() as follows (where bytes = InetAddress.getLoopbackAddress().getAddress()):

Address Peer host
new InetSocketAddress(getByAddress("localhost", bytes), p) localhost
new InetSocketAddress(getByAddress(bytes), p) loopback IP (e.g. 127.0.0.1)

ZD 22051

@cconlon cconlon self-assigned this Jun 26, 2026
Copilot AI review requested due to automatic review settings June 26, 2026 17:13

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes WolfSSLSocket.connect(SocketAddress) so that SNI and HTTPS endpoint identification use the application-supplied hostname (instead of the resolved IP), aligning behavior with SunJSSE for the createSocket() + connect(InetSocketAddress) flow.

Changes:

  • Update WolfSSLSocket.connect() to store the peer host via InetSocketAddress.getHostString() (preserves the original hostname without reverse DNS).
  • Add a new regression test covering multiple InetSocketAddress construction paths and asserting SSLSession.getPeerHost() behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/java/com/wolfssl/provider/jsse/WolfSSLSocket.java Preserves original hostname for SNI/endpoint identification by using InetSocketAddress.getHostString() when registering host/port after connect().
src/test/com/wolfssl/provider/jsse/test/WolfSSLSocketTest.java Adds coverage for createSocket() + connect(InetSocketAddress) ensuring SSLSession.getPeerHost() matches SunJSSE-style derivation rules.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLSocketTest.java
Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLSocketTest.java Outdated
@cconlon cconlon force-pushed the preserveConnectHostname branch from 8b5e5e9 to ffcf18e Compare June 26, 2026 17:41
@cconlon cconlon assigned rlm2002 and unassigned cconlon Jun 26, 2026
Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLSocketTest.java Outdated
@rlm2002 rlm2002 assigned cconlon and unassigned rlm2002 Jun 29, 2026
@cconlon cconlon force-pushed the preserveConnectHostname branch from ffcf18e to 870d1a6 Compare June 29, 2026 21:32
@cconlon cconlon requested a review from Copilot June 29, 2026 21:32

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLSocketTest.java
Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLSocketTest.java
Comment thread src/java/com/wolfssl/provider/jsse/WolfSSLSocket.java
Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLSocketTest.java
@cconlon cconlon force-pushed the preserveConnectHostname branch from 870d1a6 to 01c0fd9 Compare June 29, 2026 21:53
@cconlon cconlon assigned rlm2002 and unassigned cconlon Jun 29, 2026
@rlm2002 rlm2002 merged commit de76a2c into wolfSSL:master Jun 29, 2026
107 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants