Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8236039

JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3

    XMLWordPrintable

Details

    • b05
    • Verified

    Backports

      Description

        The JSSE client will not accept the status_request message when TLS 1.3 is negotiated and the server sends a CertiicateRequest message with that extension in it.

        When this occurs the client throws an exception:
        javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request

        This is an allowed extension in TLS 1.3.

        Since the client does not currently support OCSP stapling, the client should not throw an exception on the extension, but instead should proceed with presenting the certificate without any OCSP response information.

        Support for client-side OCSP stapling is out of scope for this bug and should be filed as a separate RFE.

        Attachments

          1. cert.pem
            4 kB
          2. key.pem
            2 kB
          3. ssl-handshake.log
            15 kB
          4. SSLSocketClient.java
            1 kB
          5. tlsserv.go
            3 kB

          Issue Links

            Activity

              People

                jnimeh Jamil Nimeh
                jnimeh Jamil Nimeh
                Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: