RFR: 8365953: Key manager returns no certificates when handshakeSession is not an ExtendedSSLSession

Daniel Jeliński djelinski at openjdk.org
Fri Sep 5 07:35:11 UTC 2025


On Thu, 4 Sep 2025 17:09:29 GMT, Artur Barashev <abarashev at openjdk.org> wrote:

> See X509KeyManagerCertChecking#getAlgorithmConstraints. If the handshake session is not an ExtendedSSLSession, the method returns constraints using a null list of peerSupportedSignAlgs, which in turn means that all certificates will be rejected. Accepting all signature schemes would probably be a better choice here, and that's what we do when the handshake session is not available at all.
> 
> The SunJSSE SSLSockets and SSLEngines both return extended SSL sessions. There are no known third-party providers that return non-extended SSL sessions.

LGTM.

-------------

Marked as reviewed by djelinski (Reviewer).

PR Review: https://git.openjdk.org/jdk/pull/27106#pullrequestreview-3188310642


More information about the security-dev mailing list