I recently updated my Jetty server (11.0.1) to TLS 1.3 (jre 11.0.9.1).The server do not send trusted certificate_authorities anymore in the CertificateRequest phase (client certificate authentication is required).
Consequently, in the prompt window, the browsers do not filter the clients certificates delivered by the CA trusted by the server.
How can i enable certificate_authorities extension on my jetty server in order to send this information to the client during TLS handshake ?
Advertisement
Answer
In short, upgrade your JVM.
Java 11.0.9 expired in January 19, 2021 (per the release notes for 11.0.9).
When using SSL/TLS from Java is is very important to keep your JVM up to date and to pay attention to JVM expiration dates.
Example: The support for certificate_authorities extension was a filed issue and fixed in Java 11.0.10+ (the release notes for 11.0.10 even say so)
The Issue: https://bugs.openjdk.java.net/browse/JDK-8206925
And don’t limp into Java 11.0.10 only, as that version is expired in April 2021 as well, use the latest in the Java 11.x series.