RFR: 8325022: Incorrect error message on client authentication [v2]
John Jiang
jjiang at openjdk.org
Thu Feb 1 02:39:06 UTC 2024
On Wed, 31 Jan 2024 20:43:31 GMT, Bernd <duke at openjdk.org> wrote:
>> John Jiang has updated the pull request incrementally with one additional commit since the last revision:
>>
>> fix more error messages
>
> src/java.base/share/classes/sun/security/ssl/CertificateMessage.java line 389:
>
>> 387: // unexpected or require client authentication
>> 388: throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
>> 389: "Empty client certificate chain");
>
> Hm, in tls1.3 it should be certificate_required and in 1.2 handshake_failure for required auth.
>
> rfc8446 6.2 “certificate_required: Sent by servers when a client certificate is
> desired but none was provided by the client.”
> rfc5246 7.4.6 “ If the client does not send any certificates, the
> server MAY at its discretion either continue the handshake without
> client authentication, or respond with a fatal handshake_failure
> alert.”
Thanks for raising this point.
I just filed a JBS issue: https://bugs.openjdk.org/browse/JDK-8325079
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/17645#discussion_r1473724754
More information about the security-dev
mailing list