The trust manager currently only build its list of accepted issuers (in getAcceptedIssuers()) from the list of CA certificates pass via client_ca (this is the content of internalContext.clientCert).

(Firstly, as a side node, it would make sense to call clientCert something else: it is not a client certificate in any way. It's a list of certificates used to build the certificate_authorities list of DNs in the CertificateRequest TLS message sent when requesting a client certificate.)

More importantly, client_ca aims to implement the behaviour in OpenSSL's SSL_CTX_set_client_CA_list, which overrides the default when used:

SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object.

Unfortunately, here, when it's not used, it is not falling back to the main store.

Effectively, by default, this trust manager always returns an empty list in the CertificateRequest message. This is explicitly allowed in TLS 1.1 and 1.2, but the behaviour is not well defined:

  If
  the certificate_authorities list is empty, then the client MAY
  send any certificate of the appropriate ClientCertificateType,
  unless there is some external arrangement to the contrary.

Both OpenSSL and JSSE would return the list of DNs of the CA certificates they're willing to trust by default, if that list is not explicitly overridden.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.