8311644: Server should not send bad_certificate alert when the client does not send any certificates

Reviewed-by: djelinski, jjiang, ssahoo
2025-08-27 23:04:50 +02:00 · 2024-02-26 16:49:01 +00:00 · 2024-02-26 16:49:01 +00:00 · f62b5789ad
commit f62b5789ad
parent 9a9cfbe0ba
8 changed files with 246 additions and 79 deletions
--- a/src/java.base/share/classes/sun/security/ssl/Alert.java
+++ b/src/java.base/share/classes/sun/security/ssl/Alert.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -123,13 +123,13 @@ enum Alert {
        }

        if (cause instanceof IOException) {
-            return new SSLException(reason, cause);
+            return new SSLException("(" + description + ") " + reason, cause);
        } else if ((this == UNEXPECTED_MESSAGE)) {
-            return new SSLProtocolException(reason, cause);
+            return new SSLProtocolException("(" + description + ") " + reason, cause);
        } else if (handshakeOnly) {
-            return new SSLHandshakeException(reason, cause);
+            return new SSLHandshakeException("(" + description + ") " + reason, cause);
        } else {
-            return new SSLException(reason, cause);
+            return new SSLException("(" + description + ") " + reason, cause);
        }
    }

--- a/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java
@ -385,7 +385,7 @@ final class CertificateMessage {
                if (shc.sslConfig.clientAuthType !=
                        ClientAuthType.CLIENT_AUTH_REQUESTED) {
                    // unexpected or require client authentication
-                    throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                        "Empty client certificate chain");
                } else {
                    return;
@ -1162,7 +1162,7 @@ final class CertificateMessage {
                shc.handshakeConsumers.remove(
                        SSLHandshake.CERTIFICATE_VERIFY.id);
                if (shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED) {
-                    throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    throw shc.conContext.fatal(Alert.CERTIFICATE_REQUIRED,
                        "Empty client certificate chain");
                } else {
                    // optional client authentication
@ -1186,7 +1186,7 @@ final class CertificateMessage {
                T13CertificateMessage certificateMessage )throws IOException {
            if (certificateMessage.certEntries == null ||
                    certificateMessage.certEntries.isEmpty()) {
-                throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw chc.conContext.fatal(Alert.DECODE_ERROR,
                    "Empty server certificate chain");
            }