Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8236039

JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3

    Details

    • Subcomponent:
    • Resolved In Build:
      b05
    • Verification:
      Verified

      Backports

        Description

        The JSSE client will not accept the status_request message when TLS 1.3 is negotiated and the server sends a CertiicateRequest message with that extension in it.

        When this occurs the client throws an exception:
        javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request

        This is an allowed extension in TLS 1.3.

        Since the client does not currently support OCSP stapling, the client should not throw an exception on the extension, but instead should proceed with presenting the certificate without any OCSP response information.

        Support for client-side OCSP stapling is out of scope for this bug and should be filed as a separate RFE.

          Attachments

          1. cert.pem
            4 kB
          2. key.pem
            2 kB
          3. ssl-handshake.log
            15 kB
          4. SSLSocketClient.java
            1 kB
          5. tlsserv.go
            3 kB

            Issue Links

              Activity

                People

                • Assignee:
                  jnimeh Jamil Nimeh
                  Reporter:
                  jnimeh Jamil Nimeh
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: