You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Java 26 newly adds a bunch of certificate checks in the paths of SunX509KeyManagerImpl.chooseServerAlias() (and all the other alias choosing functions) and the test certificates and keys which are generated on the fly for TestKeyStore using Bouncy Castle fail these checks. The correct fix is to figure out which check(s) are failing and fix the test certificate generation, but as these checks are likely not failing for any real, production certs then it makes sense to temporarily disable these checks during testing only by setting the java property jdk.tls.SunX509KeyManager.certChecking to false in the OpenJDK test suite. This would make 224 of the 226 failures pass.
The same alias chooser methods now return null when asked for a key of type EC_EC, which breaks the other two failing tests. This feels like an upstream regression introduced in the change which caused (1) because this style of naming (<key type>_<signature type>) is still very much listed in the Java 25 JCA Standard Names document and the change makes no reference to deprecating them. It might make sense to disable testing for this key type until it is determined if this is a regression or not, otherwise landing Add more JDK versions to CI #1484 will break CI for everyone.
See, e.g. https://github.com/google/conscrypt/actions/runs/22361936139/job/64721730265?pr=1484 where 226 tests fail.
These fall into two categories:
Java 26 newly adds a bunch of certificate checks in the paths of
SunX509KeyManagerImpl.chooseServerAlias()(and all the other alias choosing functions) and the test certificates and keys which are generated on the fly forTestKeyStoreusing Bouncy Castle fail these checks. The correct fix is to figure out which check(s) are failing and fix the test certificate generation, but as these checks are likely not failing for any real, production certs then it makes sense to temporarily disable these checks during testing only by setting the java propertyjdk.tls.SunX509KeyManager.certCheckingtofalsein the OpenJDK test suite. This would make 224 of the 226 failures pass.The same alias chooser methods now return null when asked for a key of type
EC_EC, which breaks the other two failing tests. This feels like an upstream regression introduced in the change which caused (1) because this style of naming (<key type>_<signature type>) is still very much listed in the Java 25 JCA Standard Names document and the change makes no reference to deprecating them. It might make sense to disable testing for this key type until it is determined if this is a regression or not, otherwise landing Add more JDK versions to CI #1484 will break CI for everyone.