RFR: 8326381: com.sun.net.httpserver.HttpsParameters and SSLStreams incorrectly handle needClientAuth and wantClientAuth
Michael McMahon
michaelm at openjdk.org
Thu Feb 22 09:29:00 UTC 2024
On Wed, 21 Feb 2024 07:26:52 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
> If I understand correctly, `com.sun.net.httpserver` is not part of the spec, and CSRs are for spec changes only.
>
> Have you verified that the new code works as intended?
>
> * sends a CertificateRequest message only if either of the properties is true
>
> * refuses to connect if needClientAuth is true and the client doesn't produce a certificate
>
>
> Pretty sure we don't have any tests for that, they couldn't possibly pass with the current code.
On. the second point there, I think it would be useful if we had a test for this. It could be done in another PR maybe, but it would need a client/server interaction with the "need" flag set and if no client cert available, check for appropriate error. If cert available the client and server can both check that it was used, through the SSLSession created.
You could use the same approach to test the "want" flag as well potentially.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/17940#issuecomment-1959031676
More information about the net-dev
mailing list