RFR: 8365953: Key manager returns no certificates when handshakeSession is not an ExtendedSSLSession
Artur Barashev
abarashev at openjdk.org
Thu Sep 4 17:14:58 UTC 2025
See X509KeyManagerCertChecking#getAlgorithmConstraints. If the handshake session is not an ExtendedSSLSession, the method returns constraints using a null list of peerSupportedSignAlgs, which in turn means that all certificates will be rejected. Accepting all signature schemes would probably be a better choice here, and that's what we do when the handshake session is not available at all.
The SunJSSE SSLSockets and SSLEngines both return extended SSL sessions. There are no known third-party providers that return non-extended SSL sessions.
-------------
Commit messages:
- 8365953: Key manager returns no certificates when handshakeSession is not an ExtendedSSLSession
Changes: https://git.openjdk.org/jdk/pull/27106/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=27106&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8365953
Stats: 451 lines in 3 files changed: 406 ins; 14 del; 31 mod
Patch: https://git.openjdk.org/jdk/pull/27106.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/27106/head:pull/27106
PR: https://git.openjdk.org/jdk/pull/27106
More information about the security-dev
mailing list