Special-case exception for SunJSSE compatibility

peterdettman · peterdettman · commit b85889fb4200 · 2025-08-29T19:16:59.000+07:00
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvX509TrustManager.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvX509TrustManager.java
@@ -456,7 +456,20 @@ private static void checkEndpointID(X509Certificate certificate, String endpoint
             }
         }
 
-        checkEndpointID(peerHost, certificate, endpointIDAlg);
+        try
+        {
+            checkEndpointID(peerHost, certificate, endpointIDAlg);
+        }
+        catch (CertificateException e)
+        {
+            // Special case for SunJSSE compatibility 
+            if (!checkServerTrusted && "HTTPS".equalsIgnoreCase(endpointIDAlg))
+            {
+                throw new CertificateException("Endpoint ID algorithm 'HTTPS' is not supported on the server side");                
+            }
+
+            throw e;
+        }
     }
 
     private static X509CertSelector createTargetCertConstraints(final X509Certificate eeCert,
