com.sun.net.httpserver.HttpsParameters has the setNeedClientAuth(boolean) which says:
> Sets whether client authentication should be required. Calling this method clears the {@code wantClientAuth} flag.
However, the implementation of this method doesn't currently clear the wantClientAuth flag.
This same class has another method setWantClientAuth(boolean) which says:
> Sets whether client authentication should be requested. Calling this method clears the {@code needClientAuth} flag.
The implementation of this method doesn't clear the needClientAuth flag.
These methods are similar to the methods on javax.net.ssl.SSLParameters class and match the javadoc of the methods on SSLParameters. It's the implementation of these methods in HttpsParameters which needs to be fixed to match their API javadoc.
Furthermore, related to the HttpsParameters class, there's the sun.net.httpserver.SSLStreams class which uses the configured values of needClientAuth and wantClientAuth from the HttpsParameters instance and sets it on the SSLEngine:
engine.setNeedClientAuth (params.getNeedClientAuth());
engine.setWantClientAuth (params.getWantClientAuth());
This however is a incorrect way to do it since the SSLEngine's setNeedClientAuth and setWantClientAuth reset the state of these mutually exclusive flags.
> Sets whether client authentication should be required. Calling this method clears the {@code wantClientAuth} flag.
However, the implementation of this method doesn't currently clear the wantClientAuth flag.
This same class has another method setWantClientAuth(boolean) which says:
> Sets whether client authentication should be requested. Calling this method clears the {@code needClientAuth} flag.
The implementation of this method doesn't clear the needClientAuth flag.
These methods are similar to the methods on javax.net.ssl.SSLParameters class and match the javadoc of the methods on SSLParameters. It's the implementation of these methods in HttpsParameters which needs to be fixed to match their API javadoc.
Furthermore, related to the HttpsParameters class, there's the sun.net.httpserver.SSLStreams class which uses the configured values of needClientAuth and wantClientAuth from the HttpsParameters instance and sets it on the SSLEngine:
engine.setNeedClientAuth (params.getNeedClientAuth());
engine.setWantClientAuth (params.getWantClientAuth());
This however is a incorrect way to do it since the SSLEngine's setNeedClientAuth and setWantClientAuth reset the state of these mutually exclusive flags.
- csr for
-
JDK-8326413 com.sun.net.httpserver.HttpsParameters and SSLStreams incorrectly handle needClientAuth and wantClientAuth
-
- Closed
-
- relates to
-
JDK-8311114 Mutual TLS NeedClientAuth configuration gets reset to ClientAuthNone as tri state logic is controlled by a boolean value
-
- New
-
-
JDK-8326233 Utils#copySSLParameters loses needClientAuth Setting
-
- Closed
-