Good time of the day OpenJDK 11 TLS v1.3 implementation at present breaks hostname verification code in all versions of Apache HttpClient and I am trying to figure the best way to remedy the situation.
Resumed TLS v1.3 sessions do not appear to carry a server certificate chain, which, is as far as I understand, is to be expected. In case of resumed TLSv1.3 sessions an attempt to get the servers certificates with SSLSession#getPeerCertificates causes "peer not authenticated" SSLPeerUnverifiedException. The trouble is that I fail to see any way to find out whether or not an TLS v1.3 session has been negotiated using the complete TLS handshake or resumed. The only solution I was able to have found so far is to catch SSLPeerUnverifiedException, see if the TLS protocol is v1.3 and presume this is because the session has been resumed [1]. This naturally looks and feels very dodgy. Please advise how one should tell if TLS v1.3 session has been resumed using SSLSession interface or what would be the right way to perform hostname verification or any custom certificate validity checks with TLS v1.3. Thank you in advance Oleg Kalnichevski [1] https://github.com/ok2c/httpclient/commit/6ca28be047a7a461c7814ee7e0f3e083158ee349
