RFR JDK-8206925,,Support the certificate_authorities extension

Xuelei Fan xuelei.fan at oracle.com
Tue May 5 18:29:16 UTC 2020


Hi,

Could I get the following update reviewed?

RFE: https://bugs.openjdk.java.net/browse/JDK-8206925
CSR: https://bugs.openjdk.java.net/browse/JDK-8244441
Release-note: https://bugs.openjdk.java.net/browse/JDK-8244460
webrev: http://cr.openjdk.java.net/~xuelei/8206925/webrev.00/

The "certificate_authorities" extension is an optional extension 
introduced in TLS 1.3 and used to indicate the certificate authorities 
(CAs) which an endpoint supports and which SHOULD be used by the 
receiving endpoint to guide certificate selection.

In TLS 1.2, this function is built in the CertificateRequest handshake 
massage.

This function is supported in TLS 1.2 and prior versions. However, it is 
not implemented in the TLS 1.3 implementation. Without this function, 
the authentication certificate selected may be not the one the peer 
could accepted, when there are multiple certificates available.

Thanks,
Xuelei


More information about the security-dev mailing list