On Wed, 31 Jan 2024 20:07:28 GMT, John Jiang <[email protected]> wrote:
>> If the server doesn't receive the client certificate for required client
>> authentication, it should raise error `Empty client certificate chain`.
>
> John Jiang has updated the pull request incrementally with one additional
> commit since the last revision:
>
> fix more error messages
src/java.base/share/classes/sun/security/ssl/CertificateMessage.java line 389:
> 387: // unexpected or require client authentication
> 388: throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
> 389: "Empty client certificate chain");
Hm, in tls1.3 it should be certificate_required and in 1.2 handshake_failure
for required auth.
rfc8446 6.2 “certificate_required: Sent by servers when a client certificate is
desired but none was provided by the client.”
rfc5246 7.4.6 “ If the client does not send any certificates, the
server MAY at its discretion either continue the handshake without
client authentication, or respond with a fatal handshake_failure
alert.”
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/17645#discussion_r1473440462
