JDK-8244460 : Release Note: Support for certificate_authorities Extension
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8u281,11.0.10-oracle,15
  • Priority: P4
  • Status: Closed
  • Resolution: Delivered
  • Submitted: 2020-05-05
  • Updated: 2021-12-02
  • Resolved: 2021-12-02
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 15 JDK 8
11.0.10-oracleResolved 15Resolved 8u281Resolved
Description
The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection.

With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides.  This extension is always present for client certificate selection, while it is optional for server certificate selection.

Applications can enable this extension for server certificate selection by setting the `jdk.tls.client.enableCAExtension` system property to `true`.  The default value of the property is `false`.

Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled.  Also, some server implementations do not allow handshake messages to exceed 2^14 bytes.  Consequently, there may be interoperability issues when `jdk.tls.client.enableCAExtension` is set to `true` and the client trusts more CAs than the server implementation limit.