Hi Konrad,

The dependency on X509TrustManagerImpl, though not listed explicitly
in the JEP, is unfortunately part of the dependency we have on
the default SunJSSE provider.

This is a limitation of this implementation. We might get to work on
a better integration with third party JSSE providers in the future,
but we are not there yet.

To solve your issue now I would recommend adding the test
server's certificate to the client truststore, rather than
attempting to weaken the client security for tests.

One example on how to dynamically configure the client
trustore with non-CA signed certificates can be seen
here:

https://github.com/openjdk/jdk/blob/74f9b51f3436018f5f0987cee253d01f2eb27541/test/jdk/java/net/httpclient/altsvc/AltServiceReasonableAssurance.java#L662

Hope this helps,

-- daniel

On 07/07/2026 16:05, Konrad Windszus wrote:
Hi,

I ran into the issue that I cannot use HTTP/3 with JRE HTTP Client with a 
custom trust manager. It always fails with UnsupportedProtocolException: HTTP3 
is not supported (thrown from 
https://github.com/openjdk/jdk/blob/b3100b4173184a8c9d9c9ef0975c795bd4d64b7f/src/java.net.http/share/classes/jdk/internal/net/http/HttpClientImpl.java#L480).

The reason seems to be this guard: 
https://github.com/openjdk/jdk/blob/631b675d7949a0e6312d8d6f45e2515d53b12f05/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java#L529
 which is not passed when leveraging a custom trust manager (implementing a 
trust all policy).

My use case is both an IT accepting all certificates as well as an application 
flag which deliberately weakens security. Please find some example code in 
https://github.com/apache/maven-resolver/blob/16bbda7e6afebb133aed63fe36ade1c850804b07/maven-resolver-transport-jdk-parent/maven-resolver-transport-jdk11/src/main/java/org/eclipse/aether/transport/jdk/JdkTransporter.java#L490-L515.

How to I connect via HTTP/3 with a trust all policy trust manager?

Although https://openjdk.org/jeps/517 explicitly states: "This first 
implementation of HTTP/3 will not support secure-socket providers other than the 
default provider, SunJSSE.”
It doesn’t state anything about custom trust managers.

Thanks in advance for your thoughts.
Konrad

Reply via email to