JDK-8273149 : Call X509KeyManager.chooseClientAlias once for all key types
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 18
  • Submitted: 2021-08-30
  • Updated: 2023-10-16
  • Resolved: 2021-08-31
Related Reports
CSR :  
Description
Summary
-------

Restructure TLS implementation so that in the client authentication case the `X509KeyManager.chooseClientAlias` method is only called once even if the server accepts multiple key algorithms.

Problem
-------

We used to call this method only once before TLS 1.2 but now it's called once for each server accepted key algorithm, which could be unfriendly in user experience.

For example, suppose the application's `X509KeyManager.chooseClientAlias` implementation shows up a dialog box asking a client to choose an alias. Before this fix, the dialog would pop up multiple times. Also, since each dialog box only displays aliases for one key algorithm, user is likely to choose a suboptimal alias in the 1st dialog if his most preferred alias is using another algorithm.

Solution
--------

Modify the authentication logic so a single call is performed for all accepted algorithms.

Specification
-------------

No spec change, but this is a behavior change.
Comments
Hi [~darcy] is it by purpose that there is no CSR for the backport to 17, or was this forgotten? Thanks! Goetz.
16-10-2023

Moving to Approved.
31-08-2021

Moving to Provisional.
30-08-2021