jdk.httpserver/SSLStreams and java.net.http/Utils class both reset NeedClientAuth setting to none. As a result of this it prevents the server from requesting a client certificate. In the short term we should only call setter methods if the get methods return true as setter methods mutate state and override a single variable. As a long term fix it would be great if the ClientAuthType enum can be moved out of the sun internal package and moved out to public api and allow users to set the enum as opposed to boolean setter methods for mTLS configuration.
In addition, SunX509KeyManagerImpl can be enhanced to inspect ExtendedKeyUsage for server and client authentication when picking an alias in the keystore. The current implementation doesn't check certificate extensions to evaluate if a given private/certificate can support server side auth versus client side auth. We can enhance the alias selection to look at extended key usage OIDs in addition to existing checks. This would allow a single keystore to support client side and server side auth improving usability.
In addition, SunX509KeyManagerImpl can be enhanced to inspect ExtendedKeyUsage for server and client authentication when picking an alias in the keystore. The current implementation doesn't check certificate extensions to evaluate if a given private/certificate can support server side auth versus client side auth. We can enhance the alias selection to look at extended key usage OIDs in addition to existing checks. This would allow a single keystore to support client side and server side auth improving usability.
- relates to
-
JDK-8326233 Utils#copySSLParameters loses needClientAuth Setting
-
- Closed
-
-
-
- Resolved
-