-
Enhancement
-
Resolution: Unresolved
-
P4
-
None
-
None
-
generic
-
generic
ADDITIONAL SYSTEM INFORMATION :
From code history of https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/CertificateAuthoritiesExtension.java, this incompatibility exists from beginning.
A DESCRIPTION OF THE PROBLEM :
In some circumstances the server may want the client to send whatever
client certificate it has on hand with no help from the server hints to
decide which will be appropriate. To enable this use case for a TLS 1.3
server will send the authority names extension even when the list of subjects
is empty.
And java is incompatible with this use case. And in RFC 8446, there is no words
mentioned that an authority names extension should not be empty.
FREQUENCY : always
From code history of https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/CertificateAuthoritiesExtension.java, this incompatibility exists from beginning.
A DESCRIPTION OF THE PROBLEM :
In some circumstances the server may want the client to send whatever
client certificate it has on hand with no help from the server hints to
decide which will be appropriate. To enable this use case for a TLS 1.3
server will send the authority names extension even when the list of subjects
is empty.
And java is incompatible with this use case. And in RFC 8446, there is no words
mentioned that an authority names extension should not be empty.
FREQUENCY : always