On Thu, 18 May 2023 16:58:50 GMT, Kevin Driver <kdri...@openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/ssl/CertificateAuthoritiesExtension.java
>> line 290:
>>
>>> 288: shc.peerSupportedAuthorities = spec.getAuthorities();
>>> 289: } catch (IllegalArgumentException iae) {
>>> 290: shc.conContext.fatal(Alert.DECODE_ERROR,
>>> "X500Principal could not be parsed", iae);
>>
>> In the context, it may be easier to catch the idea if the message is about
>> the authorities, and easier to update getAuthorities() implementation, for
>> example X500Principal is not used any longer, if needed in the future.
>>
>> - "X500Principal could not be parsed"
>> + "Peer authorities could not be parsed"
>
> I'm inclined to keep the current version. It seems more specific in guiding
> the caller to the fix needed. However, I understand your point.
>
> @seanjmullan comments?
I tend to agree with Xuelei in that we should try to use terms as specified in
the TLS RFCs in error messages as that will give a user a better indication of
where the issue is. I would even be a bit more specific and suggest:
"The distinguished names of the peer's certificate authorities could not be
parsed"
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13466#discussion_r1198073492
