Skip to content

SslConfigurationValidator should check if the configured key alias is for a key and certificate #25112

Description

@shartte

When using a PKCS12 keystore without a password, one will simply receive errors such as this on the clientside:

* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).

This is due to the Sun keystore loading the key, but not the certificate entries from a PKCS12 store without a password.

org.springframework.boot.web.server.SslConfigurationValidator#validateKeyAlias validates that the configured key alias is present (which it is), but no corresponding certificate alias will be present, which leads to a handshake failure deep down in the guts of the JDK's SSL handshaker.

SslConfigurationValidator could potentially use keyStore.isCertificateEntry(keyAlias) and keyStore.isKeyEntry(keyAlias) to check for this case.

I am unaware if every TLS ciphersuites requires a certificate, but potentially having a warning here would be nice to avoid chasing this problem.

Some references to OpenJDK not "truly" supporting PKCS12 without a password can also be found here:
https://stackoverflow.com/questions/58345405/how-to-use-non-password-protected-p12-ssl-certificate-in-spring-boot

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions