@@ -407,7 +407,27 @@ enum SSLExtension implements SSLStringizer {
407407 null ,
408408 PskKeyExchangeModesExtension .chOnTradeAbsence ,
409409 PskKeyExchangeModesExtension .pkemStringizer ),
410- CERTIFICATE_AUTHORITIES (0x002F , "certificate_authorities" ),
410+
411+ CH_CERTIFICATE_AUTHORITIES (0x002F , "certificate_authorities" ,
412+ SSLHandshake .CLIENT_HELLO ,
413+ ProtocolVersion .PROTOCOLS_OF_13 ,
414+ CertificateAuthoritiesExtension .chNetworkProducer ,
415+ CertificateAuthoritiesExtension .chOnLoadConsumer ,
416+ null ,
417+ null ,
418+ null ,
419+ CertificateAuthoritiesExtension .ssStringizer ),
420+
421+ CR_CERTIFICATE_AUTHORITIES (0x002F , "certificate_authorities" ,
422+ SSLHandshake .CERTIFICATE_REQUEST ,
423+ ProtocolVersion .PROTOCOLS_OF_13 ,
424+ CertificateAuthoritiesExtension .crNetworkProducer ,
425+ CertificateAuthoritiesExtension .crOnLoadConsumer ,
426+ null ,
427+ null ,
428+ null ,
429+ CertificateAuthoritiesExtension .ssStringizer ),
430+
411431 OID_FILTERS (0x0030 , "oid_filters" ),
412432 POST_HANDSHAKE_AUTH (0x0030 , "post_handshake_auth" ),
413433
@@ -725,6 +745,50 @@ static final class ClientExtensions {
725745 extensions .remove (CH_MAX_FRAGMENT_LENGTH );
726746 }
727747
748+ // To switch on certificate_authorities extension in ClientHello.
749+ //
750+ // Note: Please be careful to enable this extension in ClientHello.
751+ //
752+ // In practice, if the server certificate cannot be validated by
753+ // the underlying programs, the user may manually check the
754+ // certificate in order to access the service. The certificate
755+ // could be accepted manually, and the handshake continues. For
756+ // example, the browsers provide the manual option to accept
757+ // untrusted server certificate. If this extension is enabled in
758+ // the ClientHello handshake message, and the server's certificate
759+ // does not chain back to any of the CAs in the extension, then the
760+ // server will terminate the handshake and close the connection.
761+ // There is no chance for the client to perform the manual check.
762+ // Therefore, enabling this extension in ClientHello may lead to
763+ // unexpected compatibility issues for such cases.
764+ //
765+ // According to TLS 1.3 specification [RFC 8446] the maximum size
766+ // of the certificate_authorities extension is 2^16 bytes. The
767+ // maximum TLS record size is 2^14 bytes. If the handshake
768+ // message is bigger than maximum TLS record size, it should be
769+ // splitted into several records. In fact, some server
770+ // implementations do not allow ClientHello messages bigger than
771+ // the maximum TLS record size and will immediately abort the
772+ // connection with a fatal alert. Therefore, if the client trusts
773+ // too many certificate authorities, there may be unexpected
774+ // interoperability issues.
775+ //
776+ // Furthermore, if the client trusts more CAs such that it exceeds
777+ // the size limit of the extension, enabling this extension in
778+ // client side does not really make sense any longer as there is
779+ // no way to indicate the server certificate selection accurately.
780+ //
781+ // In general, a server does not use multiple certificates issued
782+ // from different CAs. It is not expected to use this extension a
783+ // lot in practice. When there is a need to use this extension
784+ // in ClientHello handshake message, please take care of the
785+ // potential compatibility and interoperability issues above.
786+ enableExtension = Utilities .getBooleanProperty (
787+ "jdk.tls.client.enableCAExtension" , false );
788+ if (!enableExtension ) {
789+ extensions .remove (CH_CERTIFICATE_AUTHORITIES );
790+ }
791+
728792 defaults = Collections .unmodifiableCollection (extensions );
729793 }
730794 }
0 commit comments