RFR JDK-8206925,,Support the certificate_authorities extension
Sean Mullan
sean.mullan at oracle.com
Fri May 22 18:17:04 UTC 2020
On 5/22/20 1:55 PM, Xuelei Fan wrote:
>> * test/jdk/sun/security/ssl/X509TrustManagerImpl/TooMuchCAs.java
>>
>> Will this test FAIL if we ever exceed the maximum number of CAs? I
>> think it is important that it does FAIL, as the extension is
>> effectively not working anymore and could cause compatibility issues.
>> I even think we would need to try to think of some way to fix it,
>> either by seeing if some CAs could be excluded - not really sure,
>> hopefully it won't ever happen but we would want to know about it in
>> advance.
>>
> Alexey (from azul) and I discussed the idea to control the number of
> CAs. However, there are still some issues in practice.
>
> "If the certificate authorities can not be fully listed, it cannot be
> used to indicate the peer certificate selection accuracy. For example,
> client support A, B and C, and is only able to indicate A and B. If the
> server supports C, the connection cannot be established with this
> extension. This is not the expected behavior. Maybe, it is no worse
> than without this extension. "
>
> It looks like safer that the extension is not used if the size exceed
> the limit, at least there ARE less compatibility issues. I have a note
> in the CSR and release note for the behaviors.
>
> The test case, TooMuchCAs, is used to make sure the connection can be
> established when the CAs size exceed the limit (no extension used).
Sure, I agree that is the best behavior. I guess my point is that if we
ever really exceed the maximum number of CAs in the cacerts keystore, it
would be good to have a test that will fail because of that. Minimally,
this would allow us to publish a release note warning users that the CA
extension will no longer work unless some roots are removed.
Would the other test fail
(test/jdk/sun/security/ssl/X509KeyManager/CertificateAuthorities.java)
if that happens?
--Sean
More information about the security-dev
mailing list