Alexey has some good point about the size limit of the extension. I
added more comments about the compatibility impact and interop impact
when there is too much CAs to meet the size limits in CSR, source code
and release notes.
New webrev: https://bugs.openjdk.java.net/browse/JDK-8244460
I h
Hi Alexey,
Thanks for the reproducer. Would you mind add it to JDK-8206925 for
further testing?
I think more about if a control number could be helpful. If the
certificate authorities can not be fully listed, it cannot be used to
indicate the peer certificate selection accuracy. For exampl
For the CSR, why did you check the binary and behavioral boxes for
compatibility risk? Otherwise it looks good, and I added my name as
Reviewer. I will review the updated webrev later.
Please file and add a link to a docs issue to document the new system
property.
--Sean
On 5/13/20 5:20 PM,
Ah yes. Thanks.
--Max
> On May 14, 2020, at 10:32 PM, Sean Mullan wrote:
>
> 8244974 is closed. I assume you mean the duplicate 8218482.
>
> Fix looks good.
>
> --Sean
>
> On 5/14/20 2:11 AM, Weijun Wang wrote:
>> Please take a review at
>>https://cr.openjdk.java.net/~weijun/8244974/webr
8244974 is closed. I assume you mean the duplicate 8218482.
Fix looks good.
--Sean
On 5/14/20 2:11 AM, Weijun Wang wrote:
Please take a review at
https://cr.openjdk.java.net/~weijun/8244974/webrev.00
Time could change during the test and the cache thought it's a new entry.
Thanks,
Max
Just fix a missprint:
It should be -Djdk.tls.client.enableCAExtension=true in the reproducer:
$JAVA_HOME/bin/java -Djdk.tls.client.enableCAExtension=true
-Djavax.net.ssl.trustStore=./cacerts
-Djavax.net.ssl.trustStorePassword=changeit HttpsClient https://www.google.com
> On 14 May 2020, at 13:5
Hello Xuelei,
I’ve posted a reproducer for described issue:
http://cr.openjdk.java.net/~abakhtin/8206925/
The test passed and returns code=200 from the server in case of CA extension
disabled on the client side:
$JAVA_HOME/bin/java -Djavax.net.ssl.trustStore=./cacerts
-Djavax.net.ssl.trustStore
