Hi Simon, Thanks for reporting. The problem is already tracked under https://bugs.openjdk.org/browse/JDK-8325022. Cheers, Daniel
śr., 24 kwi 2024 o 15:52 Simon Bernard <cont...@simonbernard.eu> napisał(a): > > Hi, > > I think that maybe I found a bad message for SSLHanshakeException in > sun.security.ssl.CertificateMessage. > > At server side configured with CLIENT_AUTH_REQUIRED, I get this > SSLHanshakeException when trying to connect with a client sending an empty > cert chain : > > Caused by: javax.net.ssl.SSLHandshakeException: Empty server certificate chain > at sun.security.ssl.Alert.createSSLException(Alert.java:131) > at sun.security.ssl.Alert.createSSLException(Alert.java:117) > at sun.security.ssl.TransportContext.fatal(TransportContext.java:318) > at sun.security.ssl.TransportContext.fatal(TransportContext.java:274) > at sun.security.ssl.TransportContext.fatal(TransportContext.java:265) > at > sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:390) > at > sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375) > at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) > at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) > at > sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981) > at > sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915) > at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1651) > at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1497) > at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338) > at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387) > at > io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) > at > io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) > > In that case, I think it should be "Empty client certificate chain" ? > > Looking at the sun.security.ssl.CertificateMessage code it seems that same > error message is used for client/server and for "empty when required cert > chain" and "certificate message receive when not required or requested". > We should probably have 3 different message : > > "Empty server certificate chain" > "Client authentication required but empty client certificate chain received" > "Unexpected client Certificate message received because client authentication > is not requested or required" > > (some more details at : > https://github.com/netty/netty/issues/13993#issuecomment-2074966726) > > tested with openJDK 8 and 17. > > HTH > > Simon
