On Wed, 31 Jan 2024 20:43:31 GMT, Bernd <d...@openjdk.org> wrote: >> John Jiang has updated the pull request incrementally with one additional >> commit since the last revision: >> >> fix more error messages > > src/java.base/share/classes/sun/security/ssl/CertificateMessage.java line 389: > >> 387: // unexpected or require client authentication >> 388: throw shc.conContext.fatal(Alert.BAD_CERTIFICATE, >> 389: "Empty client certificate chain"); > > Hm, in tls1.3 it should be certificate_required and in 1.2 handshake_failure > for required auth. > > rfc8446 6.2 “certificate_required: Sent by servers when a client certificate > is > desired but none was provided by the client.” > rfc5246 7.4.6 “ If the client does not send any certificates, the > server MAY at its discretion either continue the handshake without > client authentication, or respond with a fatal handshake_failure > alert.”
Thanks for raising this point. I just filed a JBS issue: https://bugs.openjdk.org/browse/JDK-8325079 ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/17645#discussion_r1473724754
