-
Enhancement
-
Resolution: Unresolved
-
P3
-
None
-
None
-
None
-
generic
-
os_x
Apple Provider does not use Trust Settings from the keychain to select Server or Client SSL certificate. As a result, the SSL Server or Client (in case of mutual authentication) can choose and send the untrusted certificates to the peer.
How to reproduce:
1) Import private key and SSL Server certificate to the Keychain
2) Open the Keychain Access app and set "Never Trust" for the added SSL certificate
3) Run SSL server with keystore type "KeychainStore" and "NewSunX509" key manager factory
4) Import SSL certificate into the PKCS12 truststore
5) Run SSL client with PKCS12 truststore
Expected behavior:
SSL server selects another trusted SSL certificate from the KeychainStore OR fails because of no suitable trusted certificates
Actual behavior:
SSL server completes handshake successfully, sending an untrusted SSL certificate to the client.
How to reproduce:
1) Import private key and SSL Server certificate to the Keychain
2) Open the Keychain Access app and set "Never Trust" for the added SSL certificate
3) Run SSL server with keystore type "KeychainStore" and "NewSunX509" key manager factory
4) Import SSL certificate into the PKCS12 truststore
5) Run SSL client with PKCS12 truststore
Expected behavior:
SSL server selects another trusted SSL certificate from the KeychainStore OR fails because of no suitable trusted certificates
Actual behavior:
SSL server completes handshake successfully, sending an untrusted SSL certificate to the client.
- links to
-
Review(master)
openjdk/jdk/19872