JDK-8154947 : Avoid server failure when list of authorities in CertificateRequest is too big
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P4
  • Status: Closed
  • Resolution: Won't Fix
  • Submitted: 2016-04-22
  • Updated: 2017-05-17
  • Resolved: 2016-07-04
Related Reports
Relates :  
Relates :  
Currently the server is just throwing an exception when creating CertificateRequest, if all authorities cannot fit into the maximum allowed vector.

An alternative approach is to send an empty list instead.
This is what Microsoft suggests as a possible workaround:
https://support.microsoft.com/en-us/kb/933430 (Method 3).

RFC allows sending empty list of authorities:

The behavior can be controlled with a CL switch.

Review request: http://mail.openjdk.java.net/pipermail/security-dev/2016-May/013794.html