See X509KeyManagerCertChecking#getAlgorithmConstraints. If the handshake session is not an ExtendedSSLSession, the method returns constraints using a null list of peerSupportedSignAlgs, which in turn means that all certificates will be rejected. Accepting all signature schemes would probably be a better choice here, and that's what we do when the handshake session is not available at all.
The SunJSSE SSLSockets and SSLEngines both return extended SSL sessions. There are no known third-party providers that return non-extended SSL sessions. ------------- Commit messages: - 8365953: Key manager returns no certificates when handshakeSession is not an ExtendedSSLSession Changes: https://git.openjdk.org/jdk/pull/27106/files Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=27106&range=00 Issue: https://bugs.openjdk.org/browse/JDK-8365953 Stats: 451 lines in 3 files changed: 406 ins; 14 del; 31 mod Patch: https://git.openjdk.org/jdk/pull/27106.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/27106/head:pull/27106 PR: https://git.openjdk.org/jdk/pull/27106
