RFR: 8325022: Incorrect error message on client authentication [v2]
Bernd
duke at openjdk.org
Wed Jan 31 20:46:02 UTC 2024
On Wed, 31 Jan 2024 20:07:28 GMT, John Jiang <jjiang at openjdk.org> wrote:
>> If the server doesn't receive the client certificate for required client authentication, it should raise error `Empty client certificate chain`.
>
> John Jiang has updated the pull request incrementally with one additional commit since the last revision:
>
> fix more error messages
src/java.base/share/classes/sun/security/ssl/CertificateMessage.java line 389:
> 387: // unexpected or require client authentication
> 388: throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
> 389: "Empty client certificate chain");
Hm, in tls1.3 it should be certificate_required and in 1.2 handshake_failure for required auth.
rfc8446 6.2 “certificate_required: Sent by servers when a client certificate is
desired but none was provided by the client.”
rfc5246 7.4.6 “ If the client does not send any certificates, the
server MAY at its discretion either continue the handshake without
client authentication, or respond with a fatal handshake_failure
alert.”
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/17645#discussion_r1473440462
More information about the security-dev
mailing list