On Fri, 6 Jun 2025 15:20:56 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> Artur Barashev has updated the pull request incrementally with one >> additional commit since the last revision: >> >> Make the test run on TLSv1.3 > > src/java.base/share/classes/sun/security/ssl/SunX509KeyManagerImpl.java line > 401: > >> 399: continue; >> 400: } >> 401: > > I think we should also call `CertType.check` here, like in > `X509KeyManagerImpl`. Since this change is now only selecting certificates > with algorithms that are not disabled, I think it also makes sense to select > certificates that have the proper extensions, etc and will not cause > subsequent certificate chain validation failures. > > This means we would have to change the name of the property so that it isn't > only about disabling constraints checking. Perhaps: > `jdk.tls.keymanager.disableCertSelectionChecking`. Yes, makes sense. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2132913338
