Bad exception message in SSLHandshakeException ?

Wed, 24 Apr 2024 06:51:54 -0700 

Hi,
I think that maybe I found a bad message for SSLHanshakeException in sun.security.ssl.CertificateMessage. 


At server side configured with *CLIENT_AUTH_REQUIRED*, I get this 
SSLHanshakeException when trying to connect with a client sending an 
empty cert chain :



|Caused by: javax.net.ssl.SSLHandshakeException: Empty server 
certificate chain at 
sun.security.ssl.Alert.createSSLException(Alert.java:131) at 
sun.security.ssl.Alert.createSSLException(Alert.java:117) at 
sun.security.ssl.TransportContext.fatal(TransportContext.java:318) at 
sun.security.ssl.TransportContext.fatal(TransportContext.java:274) at 
sun.security.ssl.TransportContext.fatal(TransportContext.java:265) at 
sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:390) 
at 
sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375) 
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) at 
sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at 
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981) 
at 
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968) 
at java.security.AccessController.doPrivileged(Native Method) at 
sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915) 
at 
io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1651) 
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1497) at 
io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338) 
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387) at 
io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) 
at 
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) 
|


In that case, I think it should be "Empty client certificate chain||" ?


Looking at the *sun.security.ssl.CertificateMessage* code it seems that 
same error message is used for client/server and for "empty when 
required cert chain" and "certificate message receive when not required 
or requested".

We should probably have 3 different message :

 * "Empty server certificate chain"
 * "Client authentication required but empty client certificate chain||
   received"
 * "Unexpected client Certificate message received because client
   authentication is not requested or required"


(some more details at : 
https://github.com/netty/netty/issues/13993#issuecomment-2074966726)


tested with openJDK 8 and 17.

HTH

Simon






















					Reply via email to