Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8206925 Support the certificate_authorities extension
  3. JDK-8244460

Release Note: Support for certificate_authorities Extension

    XMLWordPrintable

    Details

      Backports

        Description

        The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection.

        With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection.

        Applications can enable this extension for server certificate selection by setting the `jdk.tls.client.enableCAExtension` system property to `true`. The default value of the property is `false`.

        Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when `jdk.tls.client.enableCAExtension` is set to `true` and the client trusts more CAs than the server implementation limit.

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                Unassigned Unassigned
                Reporter:
                xuelei Xue-Lei Fan
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: