RFR: 8365953: Key manager returns no certificates when handshakeSession is not an ExtendedSSLSession
Daniel Jeliński
djelinski at openjdk.org
Fri Sep 5 07:35:11 UTC 2025
On Thu, 4 Sep 2025 17:09:29 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
> See X509KeyManagerCertChecking#getAlgorithmConstraints. If the handshake session is not an ExtendedSSLSession, the method returns constraints using a null list of peerSupportedSignAlgs, which in turn means that all certificates will be rejected. Accepting all signature schemes would probably be a better choice here, and that's what we do when the handshake session is not available at all.
>
> The SunJSSE SSLSockets and SSLEngines both return extended SSL sessions. There are no known third-party providers that return non-extended SSL sessions.
LGTM.
-------------
Marked as reviewed by djelinski (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/27106#pullrequestreview-3188310642
More information about the security-dev
mailing list