[jdk9] RFR: 8154947: Send empty list of authorities in CertificateRequest, if server has too many of them

Ivan Gerasimov ivan.gerasimov at oracle.com
Fri Apr 22 17:09:34 UTC 2016


Hello everyone!

During TLS handshake, a server may be required to send a 
CertificateRequest, which contains a list of authorities.
If the list happens to be too long, the server is throwing an exception, 
indicating an overflow.

It may be convenient to be able to just drop the list altogether, and 
let the client to choose a certificate randomly.
In certain situation this may be more preferable that just block 
communication.

Would you please help review a patch, which introduces an command-line 
option that controls this behavior of the server?
If the approach is approved, I'll file a CCC request for that option.

BUGURL: https://bugs.openjdk.java.net/browse/JDK-8154947
WEBREV: http://cr.openjdk.java.net/~igerasim/8154947/00/webrev/

With the proposed fix all the security-related regression tests, 
including the modified one, passed on all supported platforms.

With kind regards,
Ivan



More information about the security-dev mailing list