Integrated: 8365953: Key manager returns no certificates when handshakeSession is not an ExtendedSSLSession
Artur Barashev
abarashev at openjdk.org
Thu Sep 11 13:57:28 UTC 2025
On Thu, 4 Sep 2025 17:09:29 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
> See X509KeyManagerCertChecking#getAlgorithmConstraints. If the handshake session is not an ExtendedSSLSession, the method returns constraints using a null list of peerSupportedSignAlgs, which in turn means that all certificates will be rejected. Accepting all signature schemes would probably be a better choice here, and that's what we do when the handshake session is not available at all.
>
> The SunJSSE SSLSockets and SSLEngines both return extended SSL sessions. There are no known third-party providers that return non-extended SSL sessions.
This pull request has now been integrated.
Changeset: 4ea8979b
Author: Artur Barashev <abarashev at openjdk.org>
URL: https://git.openjdk.org/jdk/commit/4ea8979b93f80e9ecbc197ee12ceb523ef8da6aa
Stats: 451 lines in 3 files changed: 406 ins; 14 del; 31 mod
8365953: Key manager returns no certificates when handshakeSession is not an ExtendedSSLSession
Reviewed-by: djelinski, wetmore
-------------
PR: https://git.openjdk.org/jdk/pull/27106
More information about the security-dev
mailing list