Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8206925

Support the certificate_authorities extension

    Details

      Backports

        Description

        See TLS 1.3 specification, RFC 8446.
        "Certificate authorities (CAs) which an endpoint supports and which SHOULD be used by the receiving endpoint to guide certificate selection. ... The client MAY send the "certificate_authorities" extension in the ClientHello message. The server MAY send it in the CertificateRequest message."

        For TLS 1.2 and prior versions, the certificate selection is guided by the CertificateRequest. While TLS 1.3 move this function to the "certificate_authorities" extension.

        The current TLS 1.3 implementation does not support this function, as could lead to certificate selection improperly and thus compatibility issues if upgrade from TLS 1.2 to TLS 1.3.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  xuelei Xue-Lei Fan
                  Reporter:
                  xuelei Xue-Lei Fan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: