RFR: 8365953: Key manager returns no certificates when handshakeSession is not an ExtendedSSLSession

Artur Barashev abarashev at openjdk.org
Thu Sep 4 17:14:58 UTC 2025


See X509KeyManagerCertChecking#getAlgorithmConstraints. If the handshake session is not an ExtendedSSLSession, the method returns constraints using a null list of peerSupportedSignAlgs, which in turn means that all certificates will be rejected. Accepting all signature schemes would probably be a better choice here, and that's what we do when the handshake session is not available at all.

The SunJSSE SSLSockets and SSLEngines both return extended SSL sessions. There are no known third-party providers that return non-extended SSL sessions.

-------------

Commit messages:
 - 8365953: Key manager returns no certificates when handshakeSession is not an ExtendedSSLSession

Changes: https://git.openjdk.org/jdk/pull/27106/files
  Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=27106&range=00
  Issue: https://bugs.openjdk.org/browse/JDK-8365953
  Stats: 451 lines in 3 files changed: 406 ins; 14 del; 31 mod
  Patch: https://git.openjdk.org/jdk/pull/27106.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/27106/head:pull/27106

PR: https://git.openjdk.org/jdk/pull/27106


More information about the security-dev mailing list