JDK-8252789 : Empty client certificate issue during TLS handshake
  • Type: Bug
  • Component: deploy
  • Sub-Component: deployment_toolkit
  • Affected Version: 8u261
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2020-09-04
  • Updated: 2021-09-19
  • Resolved: 2020-09-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8
8u261Fixed
Related Reports
Relates :  
JDK-8262186 - Call X509KeyManager.chooseClientAlias once for all key types
Relates :  
JDK-8206925 - Support the certificate_authorities extension
Description
Update to 8u261 causes TLS handshake failure. 
In test configuration there are several handshake requests and only the first one is successful. The subsequent ones have an issue with client Certificate and provide the server with the empty cert list. As a result the server rejects client certificate handshake message.
Comments
Verified fix using 1.8.0_281-b05
20-11-2020
Problem description: After integration of TLSv1.3 X509DeployKeyManager.chooseClientAlias() works well for the first connection to a server but it may return null (i.e. empty cert list) for subsequent connection to the same server. That is side effect of the changes in the behaviour of AbstractKeyManagerWrapper.chooseClientAlias(). It used to be called once and provided X509DeployKeyManager with an array of KeyTypes. Now (within TLSv1.3 framework) it is called more frequently but with one KeyType, (i.e. input array contains one element). If there is no a certificate associated with the requested KeyType X509DeployKeyManager returns null. That null-value (cert) is stored to the local cache which contains host-cert pair. Later when a the subsequent connection is establishing the null-value is retrieved from the cache and send to the server. Fix: It is necessary to check the cert value when it is stored to the cache.
17-09-2020