[jdk9] RFR: 8154947: Send empty list of authorities in CertificateRequest, if server has too many of them

Ivan Gerasimov ivan.gerasimov at oracle.com
Tue Apr 26 10:57:59 UTC 2016

Here's a modified version of the fix.

Instead of a boolean-type property, a string-type property is introduced.
It is used to specify the strategy to use, if we encounter the overflow 
during filling the list of authorities.

The default strategy is to throw an exception (just like the currently 
implemented behavior.)

It can also be set to the values 'empty' or 'truncate', which will make 
the server to send an empty or truncated list upon overflow.

Would you please help review it?


With kind regards,

On 22.04.2016 20:09, Ivan Gerasimov wrote:
> Hello everyone!
> During TLS handshake, a server may be required to send a 
> CertificateRequest, which contains a list of authorities.
> If the list happens to be too long, the server is throwing an 
> exception, indicating an overflow.
> It may be convenient to be able to just drop the list altogether, and 
> let the client to choose a certificate randomly.
> In certain situation this may be more preferable that just block 
> communication.
> Would you please help review a patch, which introduces an command-line 
> option that controls this behavior of the server?
> If the approach is approved, I'll file a CCC request for that option.
> BUGURL: https://bugs.openjdk.java.net/browse/JDK-8154947
> WEBREV: http://cr.openjdk.java.net/~igerasim/8154947/00/webrev/
> With the proposed fix all the security-related regression tests, 
> including the modified one, passed on all supported platforms.
> With kind regards,
> Ivan

More information about the security-dev mailing list