RFR: 8326381: com.sun.net.httpserver.HttpsParameters and SSLStreams incorrectly handle needClientAuth and wantClientAuth [v6]

Daniel Jeliński djelinski at openjdk.org
Tue Feb 27 13:00:54 UTC 2024 

On Mon, 26 Feb 2024 11:36:23 GMT, Jaikiran Pai <jpai at openjdk.org> wrote:

>> Can I please get a review of this change which proposes to fix https://bugs.openjdk.org/browse/JDK-8326381?
>> 
>> As noted in the JBS issue, the implementation in `setNeedClientAuth()` and `setWantClientAuth()` of `com.sun.net.httpserver.HttpsParameters` wasn't matching the API specification. The commit in this PR fixes that issue and it now matches the API specification as well as what is done in `javax.net.ssl.SSLParameters` class.
>> 
>> Additionally, as noted in the JBS issue, the (internal class) `sun.net.httpserver.SSLStreams` had a bug where it could end up resetting the `needClientAuth` flag on the `SSLEngine` because of the way the `setNeedClientAuth()` and `setWantClientAuth()` methods were being called on the `SSLEngine`. This too has been fixed in this PR.
>> 
>> A new jtreg test has been introduced to reproduce the issue in the `HttpsParameters` class and verify this fix.
>
> Jaikiran Pai has updated the pull request incrementally with two additional commits since the last revision:
> 
>  - John's review - set need/wantClientAuth to false and expect both need/wantClientAuth to be false
>  - assert that client auth was indeed initiated by server during TLS handshake

LGTM.

test/jdk/com/sun/net/httpserver/HttpsParametersClientAuthTest.java line 498:

> 496:         @Override
> 497:         public X509Certificate[] getCertificateChain(String alias) {
> 498:             clientAuthInitiated = true; // keep track that client certs was requested

nit: this is not necessary - `getCertificateChain` is only called if `choose*Alias` returns a non-null value, and both the `chooseClientAlias` methods set `clientAuthInitiated = true` already.

-------------

Marked as reviewed by djelinski (Reviewer).

PR Review: https://git.openjdk.org/jdk/pull/17940#pullrequestreview-1903425127
PR Review Comment: https://git.openjdk.org/jdk/pull/17940#discussion_r1504184810

More information about the net-dev mailing list