Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8331163

Consider Trust Settings to select SSL certificate

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Unresolved
    • Icon: P3 P3
    • None
    • None
    • security-libs
    • None

      Apple Provider does not use Trust Settings from the keychain to select Server or Client SSL certificate. As a result, the SSL Server or Client (in case of mutual authentication) can choose and send the untrusted certificates to the peer.
      How to reproduce:
      1) Import private key and SSL Server certificate to the Keychain
      2) Open the Keychain Access app and set "Never Trust" for the added SSL certificate
      3) Run SSL server with keystore type  "KeychainStore" and "NewSunX509" key manager factory
      4) Import SSL certificate into the PKCS12 truststore
      5) Run SSL client with PKCS12 truststore 

      Expected behavior:
      SSL server selects another trusted SSL certificate from the KeychainStore OR fails because of no suitable trusted certificates

      Actual behavior:
      SSL server completes handshake successfully, sending an untrusted SSL certificate to the client.

            abakhtin Alexey Bakhtin
            abakhtin Alexey Bakhtin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: