RFR JDK-8206925,,Support the certificate_authorities extension

Xuelei Fan xuelei.fan at oracle.com
Fri May 15 05:22:56 UTC 2020

Alexey has some good point about the size limit of the extension.  I 
added more comments about the compatibility impact and interop impact 
when there is too much CAs to meet the size limits in CSR, source code 
and release notes.

New webrev: https://bugs.openjdk.java.net/browse/JDK-8244460

I have not had a chance to add a negative test case yet.

On 5/14/2020 1:38 PM, Sean Mullan wrote:
> For the CSR, why did you check the binary and behavioral boxes for 
> compatibility risk?
I should not check the boxes.  Removed.


> Otherwise it looks good, and I added my name as 
> Reviewer. I will review the updated webrev later.
> Please file and add a link to a docs issue to document the new system 
> property.
> --Sean
> On 5/13/20 5:20 PM, Xuelei Fan wrote:
>> On 5/13/2020 2:11 PM, Sean Mullan wrote:
>>>>>> It is not expected to use this extension regularly.
>>>>>> Please let me know if you still prefer to use "enableCAExtension".
>>>>>>> Also, it is a bit unfortunate that we have to have a system 
>>>>>>> property to enable it. Can we not enable it based on whether the 
>>>>>>> configured X509TrustManager.getAcceptedIssuers returns a 
>>>>>>> non-empty list?
>>>>>> We can do that on server side, but there are compatibility impact 
>>>>>> on client behavior if we did it in client side.  See #2 in the 
>>>>>> "Specification" section.
>>>>> But doesn't the default JDK PKIX TrustManager throw a fatal 
>>>>> exception and close the connection if the server's certificate 
>>>>> cannot be validated? Could we check if the PKIX TrustManager is 
>>>>> being used?
>>>> Yes, the trust manager could throw a fatal exception and close the 
>>>> connection if the trust cannot be established.  The fallback 
>>>> mechanism is implemented in the customized trust manager, that if 
>>>> users accept the cert, the cert is trusted, and no exception and the 
>>>> handshaking continued.  It is too later to fallback after the 
>>>> connection closed.
>>>>> If a client wants to accept self-signed or untrusted server 
>>>>> certificates, I would have expected them to have to use a custom 
>>>>> X509TrustManager that allows that, and that getAcceptedIssuers() 
>>>>> should return an empty List. Is that not is what is typically done 
>>>>> in practice?
>>>> Yes, customized trust manager is used to accept users manually 
>>>> selection.  As the users may also want to accept normal certificate 
>>>> without manually involved, so getAcceptedIssuers() should respect 
>>>> those CA as well.
>>> I see. Out of curiosity, have you checked how other implementations 
>>> handle this extension? For web browsers, they typically give the user 
>>> the option of proceeding if the server certificate is not trusted. 
>>> Seems to be a bit of a configuration dilemma as you may want this 
>>> extension enabled for certain sites that have multiple certificates, 
>>> but not as a general default because then you wouldn't be able to 
>>> connect to untrusted sites (at your own risk of course). I wonder if 
>>> it would have been better for the RFC to allow the server to treat 
>>> this extension more as a hint, and still return its chain if an 
>>> acceptable certificate could not be found.
>> If it is treated as a hint, then it might be better no have this 
>> extension.
>> I checked with browsers, the extension is not present in ClientHello. 
>> For JDK, I would not expect a lot use of this extension in client 
>> side. It is just designed to workaround a few cases, just as you 
>> mentioned above.
>> Xuelei

More information about the security-dev mailing list