SSL Configurator fix - CertificateRequest not being made in SSL mutual authentication #24847
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…L mutual authentication
dmatej
approved these changes
Mar 8, 2024
avpinchuk
approved these changes
Mar 9, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The call
setWantClientAuth(-)andsetNeedClientAuth(-)have an XOR effect in https://github.com/openjdk/jdk17/blob/master/src/java.base/share/classes/javax/net/ssl/SSLParameters.java#L219 and https://github.com/openjdk/jdk/blob/27a03e0dc3e08094aebc3524f68617f7e7fb5c5d/src/java.base/share/classes/javax/net/ssl/SSLParameters.java#L218That is, setting one will undo the effect of the other, regardless of the boolean value. In it's current form, the setNeedClientAuth value is not respected if it is true, which leads to a missing CertificateRequest in the TLS handshake. The change in this PR only sets the value if indicated to be true, and gives preference to needClientAuth in the case both are set by the user in the configuration.