Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8311644

Server should not send bad_certificate alert when the client does not send any certificates

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P3 P3
    • 23
    • 8, 11, 17, 20, 21, 22
    • security-libs
    • b12
    • Verified

      Currently when the server needs client authentication and the client does not produce any certificates, the connection is aborted with "bad_certificate" alert.

      I checked the TLS1.0-1.3 specs; 1.0-1.2 recommend handshake_failure, and 1.3 recommends certificate_required alert.

      Additionally, [TLS1.3]:
      If the server supplies an empty Certificate message, the client MUST abort the handshake with a "decode_error" alert.

            ascarpino Anthony Scarpino
            djelinski Daniel Jelinski
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: