When using a PKCS12 keystore without a password, one will simply receive errors such as this on the clientside:
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
This is due to the Sun keystore loading the key, but not the certificate entries from a PKCS12 store without a password.
org.springframework.boot.web.server.SslConfigurationValidator#validateKeyAlias validates that the configured key alias is present (which it is), but no corresponding certificate alias will be present, which leads to a handshake failure deep down in the guts of the JDK's SSL handshaker.
SslConfigurationValidator could potentially use keyStore.isCertificateEntry(keyAlias) and keyStore.isKeyEntry(keyAlias) to check for this case.
I am unaware if every TLS ciphersuites requires a certificate, but potentially having a warning here would be nice to avoid chasing this problem.
Some references to OpenJDK not "truly" supporting PKCS12 without a password can also be found here:
https://stackoverflow.com/questions/58345405/how-to-use-non-password-protected-p12-ssl-certificate-in-spring-boot
When using a PKCS12 keystore without a password, one will simply receive errors such as this on the clientside:
This is due to the Sun keystore loading the key, but not the certificate entries from a PKCS12 store without a password.
org.springframework.boot.web.server.SslConfigurationValidator#validateKeyAliasvalidates that the configured key alias is present (which it is), but no corresponding certificate alias will be present, which leads to a handshake failure deep down in the guts of the JDK's SSL handshaker.SslConfigurationValidatorcould potentially usekeyStore.isCertificateEntry(keyAlias)andkeyStore.isKeyEntry(keyAlias)to check for this case.I am unaware if every TLS ciphersuites requires a certificate, but potentially having a warning here would be nice to avoid chasing this problem.
Some references to OpenJDK not "truly" supporting PKCS12 without a password can also be found here:
https://stackoverflow.com/questions/58345405/how-to-use-non-password-protected-p12-ssl-certificate-in-spring-boot