RFR: 8294985: SSLEngine throws IAE during parsing of X500Principal [v11]

Sean Mullan mullan at openjdk.org
Thu May 18 17:14:55 UTC 2023


On Thu, 18 May 2023 16:58:50 GMT, Kevin Driver <kdriver at openjdk.org> wrote:

>> src/java.base/share/classes/sun/security/ssl/CertificateAuthoritiesExtension.java line 290:
>> 
>>> 288:                 shc.peerSupportedAuthorities = spec.getAuthorities();
>>> 289:             } catch (IllegalArgumentException iae) {
>>> 290:                 shc.conContext.fatal(Alert.DECODE_ERROR, "X500Principal could not be parsed", iae);
>> 
>> In the context, it may be easier to catch the idea if the message is about the authorities, and easier to update getAuthorities() implementation, for example X500Principal is not used any longer, if needed in the future.
>> 
>> - "X500Principal could not be parsed"
>> + "Peer authorities could not be parsed"
>
> I'm inclined to keep the current version. It seems more specific in guiding the caller to the fix needed. However, I understand your point. 
> 
> @seanjmullan comments?

I tend to agree with Xuelei in that we should try to use terms as specified in the TLS RFCs in error messages as that will give a user a better indication of where the issue is. I would even be a bit more specific and suggest:

"The distinguished names of the peer's certificate authorities could not be parsed"

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/13466#discussion_r1198073492


More information about the security-dev mailing list