On Fri, 6 Jun 2025 21:11:16 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/ssl/SunX509KeyManagerImpl.java line >> 401: >> >>> 399: continue; >>> 400: } >>> 401: >> >> I think we should also call `CertType.check` here, like in >> `X509KeyManagerImpl`. Since this change is now only selecting certificates >> with algorithms that are not disabled, I think it also makes sense to select >> certificates that have the proper extensions, etc and will not cause >> subsequent certificate chain validation failures. >> >> This means we would have to change the name of the property so that it isn't >> only about disabling constraints checking. Perhaps: >> `jdk.tls.keymanager.disableCertSelectionChecking`. > > Yes, makes sense. Done. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2145256449
