RFR: 8365953: Key manager returns no certificates when handshakeSession is not an ExtendedSSLSession
Bradford Wetmore
wetmore at openjdk.org
Thu Sep 11 01:01:28 UTC 2025
On Thu, 4 Sep 2025 17:09:29 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
> See X509KeyManagerCertChecking#getAlgorithmConstraints. If the handshake session is not an ExtendedSSLSession, the method returns constraints using a null list of peerSupportedSignAlgs, which in turn means that all certificates will be rejected. Accepting all signature schemes would probably be a better choice here, and that's what we do when the handshake session is not available at all.
>
> The SunJSSE SSLSockets and SSLEngines both return extended SSL sessions. There are no known third-party providers that return non-extended SSL sessions.
I missed the changeset for 8359956. Quite a bit of work there.
LGTM also.
-------------
Marked as reviewed by wetmore (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/27106#pullrequestreview-3208318603
More information about the security-dev
mailing list