Hello Sean, The enhancement looks reasonable. As far as I know, Tim submitted the PR for this enhancement. I will be happy to review and help with it.
Regards Alexey > On 17 Jan 2025, at 13:58, Sean Mullan <sean.mul...@oracle.com> wrote: > > Caution: This email originated from outside of the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > Alexey, > > Given your experience with implementing > https://bugs.openjdk.org/browse/JDK-8320362, is this something you would be > interested in working on? > > Tim, any progress on the OCA? > > Thanks, > > Sean > > On 1/13/25 2:47 PM, Alexey Bakhtin wrote: >> Hello Sean, Tim >> >> I've attached logs to the JDK-8347067, created based on Tim’s report. >> As you mentioned already, the issue happens because the TLS server sends >> truncated chain without CA intermediate certificates. >> In my understanding, it should not be a problem if the Root and CA >> intermediate are stored in the KeychainStore. >> According to the Apple spec CA intermediate can be stored without trust >> settings but is considered trusted if validated to the root cert. >> >> Regards >> Alexey >> >>> On 13 Jan 2025, at 01:21, Tim Jacomb <timjaco...@gmail.com> >>> <mailto:timjaco...@gmail.com> wrote: >>> >>> >>> Some people who received this message don't often get email from >>> timjaco...@gmail.com <mailto:timjaco...@gmail.com>. Learn why this is >>> important <https://aka.ms/LearnAboutSenderIdentification> >>> >>> Caution: This email originated from outside of the organization. Do not >>> click links or open attachments unless you recognize the sender and know >>> the content is safe. >>> >>> Hi Sean >>> >>> I don't have access to add to the bug report, but I've attached to the >>> GitHub pull request here: >>> https://github.com/openjdk/jdk/pull/22911#issuecomment-2586577905 >>> >>> (this can also be reproduced with this repository: >>> https://github.com/timja/openjdk-intermediate-ca-reproducer) >>> >>> Thanks >>> Tim >>> >>> On Thu, 9 Jan 2025 at 20:56, Sean Mullan <sean.mul...@oracle.com >>> <mailto:sean.mul...@oracle.com>> wrote: >>>> >>>> On 1/8/25 4:06 AM, Tim Jacomb wrote: >>>> > TLS handshake fails with PKIX path building error. >>>> > >>>> > Chain is Root -> Intermediate -> Leaf in the runnable example although >>>> > in our real-world use-case its Root -> Intermediate 1 -> Intermediate 2 >>>> > -> Leaf >>>> > If I run the example only with Root -> Leaf then it works fine... >>>> >>>> It would be helpful if you can attach two logfiles (assuming the info >>>> isn't sensitive) to the bug report[1], one running with >>>> -Djavax.net.debug=all and the other with -Djava.security.debug=certpath. >>>> >>>> Thanks, >>>> Sean >>>> >>>> [1] https://bugs.openjdk.org/browse/JDK-8347067 >>>> >>
signature.asc
Description: Message signed with OpenPGP
