Hello Sean, Tim I've attached logs to the JDK-8347067, created based on Tim’s report. As you mentioned already, the issue happens because the TLS server sends truncated chain without CA intermediate certificates. In my understanding, it should not be a problem if the Root and CA intermediate are stored in the KeychainStore. According to the Apple spec CA intermediate can be stored without trust settings but is considered trusted if validated to the root cert.
Regards Alexey > On 13 Jan 2025, at 01:21, Tim Jacomb <timjaco...@gmail.com> wrote: > > Some people who received this message don't often get email from > timjaco...@gmail.com. Learn why this is important > <https://aka.ms/LearnAboutSenderIdentification> > Caution: This email originated from outside of the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > Hi Sean > > I don't have access to add to the bug report, but I've attached to the GitHub > pull request here: > https://github.com/openjdk/jdk/pull/22911#issuecomment-2586577905 > > (this can also be reproduced with this repository: > https://github.com/timja/openjdk-intermediate-ca-reproducer) > > Thanks > Tim > > On Thu, 9 Jan 2025 at 20:56, Sean Mullan <sean.mul...@oracle.com > <mailto:sean.mul...@oracle.com>> wrote: >> >> On 1/8/25 4:06 AM, Tim Jacomb wrote: >> > TLS handshake fails with PKIX path building error. >> > >> > Chain is Root -> Intermediate -> Leaf in the runnable example although >> > in our real-world use-case its Root -> Intermediate 1 -> Intermediate 2 >> > -> Leaf >> > If I run the example only with Root -> Leaf then it works fine... >> >> It would be helpful if you can attach two logfiles (assuming the info >> isn't sensitive) to the bug report[1], one running with >> -Djavax.net.debug=all and the other with -Djava.security.debug=certpath. >> >> Thanks, >> Sean >> >> [1] https://bugs.openjdk.org/browse/JDK-8347067 >>
signature.asc
Description: Message signed with OpenPGP
