Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8236039

JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3

XMLWordPrintable

    • b05
    • Verified

        The JSSE client will not accept the status_request message when TLS 1.3 is negotiated and the server sends a CertiicateRequest message with that extension in it.

        When this occurs the client throws an exception:
        javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request

        This is an allowed extension in TLS 1.3.

        Since the client does not currently support OCSP stapling, the client should not throw an exception on the extension, but instead should proceed with presenting the certificate without any OCSP response information.

        Support for client-side OCSP stapling is out of scope for this bug and should be filed as a separate RFE.

          1. tlsserv.go
            3 kB
          2. ssl-handshake.log
            15 kB
          3. SSLSocketClient.java
            1 kB
          4. cert.pem
            4 kB
          5. key.pem
            2 kB

              jnimeh Jamil Nimeh
              jnimeh Jamil Nimeh
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: