Bug ID: JDK-8154947 Avoid server failure when list of authorities in CertificateRequest is too big

JDK-8154947 : Avoid server failure when list of authorities in CertificateRequest is too big

Type: Enhancement
Component: security-libs
Sub-Component: javax.net.ssl

Priority: P4
Status: Closed
Resolution: Won't Fix

Submitted: 2016-04-22
Updated: 2017-05-17
Resolved: 2016-07-04

Related Reports

Relates :	JDK-8153948 - sun/security/mscapi/ShortRSAKey1024.sh fails with "Field length overflow"
Relates :	JDK-7200295 - CertificateRequest message is wrapping when using large numbers of Certs

Description

Currently the server is just throwing an exception when creating CertificateRequest, if all authorities cannot fit into the maximum allowed vector.

An alternative approach is to send an empty list instead.
This is what Microsoft suggests as a possible workaround:
https://support.microsoft.com/en-us/kb/933430 (Method 3).

RFC allows sending empty list of authorities:
http://tools.ietf.org/html/rfc5246

The behavior can be controlled with a CL switch.

Comments

Review request: http://mail.openjdk.java.net/pipermail/security-dev/2016-May/013794.html

06-06-2016