ADDITIONAL SYSTEM INFORMATION :
 /Library/Java/JavaVirtualMachines/jdk-11.jdk/Contents/Home/bin/java -version
java version "11" 2018-09-25
Java(TM) SE Runtime Environment 18.9 (build 11+28)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11+28, mixed mode)


A DESCRIPTION OF THE PROBLEM :
I am currently in the process of adding TLS 1.3 support into netty-tcnative[1] which uses JNI to make use of OpenSSL for it. During this work I noticed that I received test-failures when mutual auth is used and the JDK implementation is used on the client side. When using the JDK implementation on the server and client side all works as expected. Also if I use another protocol (like TLSv1.2) all works as expected.

The problem I am observing is that the client seems to sent the certificate “too late” and so the server (which uses openssl) will report and error that the client did not provide an certificate (even when it was required).

For more details and debug logs see:

http://mail.openjdk.java.net/pipermail/security-dev/2018-September/018240.html

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
See:

https://github.com/normanmaurer/jdktls13bugreproducer

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Handshake and mutual auth completes successfully.
ACTUAL -
Server is not able to see the client cert.

---------- BEGIN SOURCE ----------
https://github.com/normanmaurer/jdktls13bugreproducer
---------- END SOURCE ----------

FREQUENCY : always