KeychainStore include user and predefined roots within one truststore
Alexey Bakhtin
alexey at azul.com
Mon Jan 13 19:47:29 UTC 2025
Hello Sean, Tim
I've attached logs to the JDK-8347067, created based on Tim’s report.
As you mentioned already, the issue happens because the TLS server sends truncated chain without CA intermediate certificates.
In my understanding, it should not be a problem if the Root and CA intermediate are stored in the KeychainStore.
According to the Apple spec CA intermediate can be stored without trust settings but is considered trusted if validated to the root cert.
Regards
Alexey
> On 13 Jan 2025, at 01:21, Tim Jacomb <timjacomb1 at gmail.com> wrote:
>
> Some people who received this message don't often get email from timjacomb1 at gmail.com. Learn why this is important <https://aka.ms/LearnAboutSenderIdentification>
> Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> Hi Sean
>
> I don't have access to add to the bug report, but I've attached to the GitHub pull request here:
> https://github.com/openjdk/jdk/pull/22911#issuecomment-2586577905
>
> (this can also be reproduced with this repository: https://github.com/timja/openjdk-intermediate-ca-reproducer)
>
> Thanks
> Tim
>
> On Thu, 9 Jan 2025 at 20:56, Sean Mullan <sean.mullan at oracle.com <mailto:sean.mullan at oracle.com>> wrote:
>>
>> On 1/8/25 4:06 AM, Tim Jacomb wrote:
>> > TLS handshake fails with PKIX path building error.
>> >
>> > Chain is Root -> Intermediate -> Leaf in the runnable example although
>> > in our real-world use-case its Root -> Intermediate 1 -> Intermediate 2
>> > -> Leaf
>> > If I run the example only with Root -> Leaf then it works fine...
>>
>> It would be helpful if you can attach two logfiles (assuming the info
>> isn't sensitive) to the bug report[1], one running with
>> -Djavax.net.debug=all and the other with -Djava.security.debug=certpath.
>>
>> Thanks,
>> Sean
>>
>> [1] https://bugs.openjdk.org/browse/JDK-8347067
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20250113/1e896b26/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20250113/1e896b26/signature-0001.asc>
More information about the security-dev
mailing list