Closed Murtlaps closed 1 year ago
Thanks for the analysis, that sounds at a glance reasonable indeed.
@MattGill98 and @dmatej what do you think?
I'm not sleeping, I'm not sleeping! :-) Nice investigation, yeah, I will try to fix it and we will see what will happen then ;)
I discovered, when trying to run my code with Java 17, that there is an issue in the Grizzly Framework. In
RequestUtil::populateSSLAttributes
the attribute "javax.servlet.request.X509Certificate" is set (line 74 in the snippet below) https://github.com/eclipse-ee4j/grizzly/blob/b08af6b0dcbc497696c17d23ee7aeadbb02b9f89/modules/http-server/src/main/java/org/glassfish/grizzly/http/server/util/RequestUtils.java#L66-L76However, when running with Java 17 the
SSLSupportImpl::getPeerCertificateChain
returns null (line 126 in the code snippet below), beacusejavax.net.ssl.SSLSession::getPeerCertificateChain
throws anUnsupportedOperationException
if the method is not implemented (notice that the method was deprecated since Java 9). https://github.com/eclipse-ee4j/grizzly/blob/b08af6b0dcbc497696c17d23ee7aeadbb02b9f89/modules/grizzly/src/main/java/org/glassfish/grizzly/ssl/SSLSupportImpl.java#L113-L129The following link to a code snippet shows the
SSLSession::getPeerCertificateChain
in OpenJDK version 17: https://github.com/openjdk/jdk/blob/dfacda488bfbe2e11e8d607a6d08527710286982/src/java.base/share/classes/javax/net/ssl/SSLSession.java#L258-L298Since the method
getPeerCertificateChain
is not implemented in the Java 17 version ofsun.security.ssl.SSLSessionImpl
(see the Java 17 implementation as opposed to the Java 11 implementation), which the Grizzly framework uses, then the attribute "javax.servlet.request.X509Certificate" is never set even though a certificate(chain) might be available.Would it be possible to solve the issue by simply calling the suggested method
SSLSession::getPeerCertificates
instead?