Skip to content

springboot wolfjsse fixes #310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JeremiahM37 wants to merge 3 commits into
base: master
Choose a base branch
from
Open

springboot wolfjsse fixes #310

JeremiahM37 wants to merge 3 commits into from

Conversation

@JeremiahM37
Copy link
Contributor

@JeremiahM37 JeremiahM37 commented Dec 31, 2025
edited
Loading

wolfJSSE Compatibility Improvements for Spring Boot

Summary

These changes improve wolfJSSE compatibility with Spring Boot's SSL/TLS testing infrastructure, enabling 266 Spring Boot tests to pass. The updates align behavior with standard SunJSSE expectations, specifically regarding exception types and session state management.

Changes

WolfSSLEngine.java

  • Throw SSLHandshakeException during handshake errors: Changed to throw SSLHandshakeException instead of a generic SSLException when errors occur before handshake completion. Spring Boot tests check exception types to distinguish handshake failures from other SSL errors.

WolfSSLEngineHelper.java

  • Track client auth state: Pass clientAuthRequested flag to session when needClientAuth or wantClientAuth is set, enabling proper getPeerCertificates() behavior.

WolfSSLImplementSSLSession.java

  • Fix getPeerCertificates() behavior: Throw SSLPeerUnverifiedException when called on server-side with no client auth requested (instead of returning null). This matches SunJSSE behavior that Spring Boot expects.
  • Fix getPeerCertificateChain() behavior: Throw exception instead of returning null when no peer certificate is available.

WolfSSLKeyX509.java

  • Fix chooseClientAlias() / chooseEngineClientAlias(): Skip certificate-only entries (trustedCertEntry) that have no private key. Previously, this would return aliases for trust anchors that could not be used for client authentication.

WolfSSLTrustManager.java

  • Support CertPathTrustManagerParameters: Implement engineInit(ManagerFactoryParameters) to handle CertPathTrustManagerParameters, extracting trust anchors and creating a KeyStore. Used by Tomcat and Spring Boot for SSL configuration.
  • Support KeyStoreBuilderParameters: Also handle KeyStoreBuilderParameters for applications that use KeyStore builders.

WolfSSLUtil.java

  • Null-safe sanitizeProtocols(): Return null early if protocols array is null, preventing NullPointerException.

@JeremiahM37 JeremiahM37 self-assigned this Dec 31, 2025
@JeremiahM37 JeremiahM37 changed the title getPeerCertificateChain() to throw exception when client auth not requested springboot wolfjsse fixes Jan 28, 2026
@JeremiahM37 JeremiahM37 mentioned this pull request Jan 28, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@JeremiahM37 JeremiahM37

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JeremiahM37