JDK-8261624 : Problem looking up Client Certificates in keystore
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8u261,11,17
  • Priority: P3
  • Status: Resolved
  • Resolution: Duplicate
  • Submitted: 2021-02-12
  • Updated: 2021-08-31
  • Resolved: 2021-08-31
Related Reports
Duplicate :  
JDK-8262186 - Call X509KeyManager.chooseClientAlias once for all key types
Sub Tasks
JDK-8265499 :  
Release Note: Problem looking up Client Certificates in keystore - Resolved
Description
Prior to JDK 8u261, the JSSE framework passed an array of Strings of all keytypes in one call to the (delegate) javax.net.ssl.X509KeyManager.chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) implementation when client authentication is present in an application. Since JDK 8u261, the internal JDK libraries may call the delegate `javax.net.ssl.X509KeyManager.chooseClientAlias` method in multiple iterations while performing client authentication. One key type per call.
Comments
Changing the behavior in an update release has more impact than a feature release in this regard. Updating target, only for 8u-pool.
21-06-2021
We are planning to revert it to old behavour
20-04-2021