On Fri, 3 Apr 2026 10:44:09 GMT, Daniel Jeliński <[email protected]> wrote:
> This PR improves the exceptions thrown from HttpClient.send when the QUIC TLS
> handshake fails on the client side, for example because the server
> certificate is not trusted.
>
> Before the changes we would throw the following exception chain:
>
> javax.net.ssl.SSLHandshakeException: QUIC connection establishment failed
> Caused by: javax.net.ssl.SSLHandshakeException: QUIC connection establishment
> failed
> Caused by: java.io.IOException: certificate_unknown
>
> After the changes the following exception chain is thrown:
>
> javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> Caused by: javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX
> path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
>
> The new exception chain matches the one observed with HTTP 1/2.
>
> I updated a preexisting test to cover HTTP3, and added assertions to verify
> the exception message. HttpClient tests continue to pass.
test/jdk/java/net/httpclient/InvalidSSLContextTest.java line 72:
> 70: static volatile SSLServerSocket sslServerSocket;
> 71: static volatile String uri;
> 72: private static HttpServerAdapters.HttpTestServer h3Server;
I'd suggest importing
`jdk.httpclient.test.lib.common.HttpServerAdapters.HttpTestServer`
test/jdk/java/net/httpclient/InvalidSSLContextTest.java line 87:
> 85: public void testSync(Version version, String uri) throws Exception {
> 86: // client-side uses a different context to that of the server-side
> 87: HttpClient client = HttpClient.newBuilder()
Use `HttpServerAdapters.createClientBuilderForH3()` to avoid port stealing
issues on macOS.
test/jdk/java/net/httpclient/InvalidSSLContextTest.java line 111:
> 109: // client-side uses a different context to that of the
> server-side
> 110: HttpClient client = HttpClient.newBuilder()
> 111: .proxy(NO_PROXY)
Same here
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/30563#discussion_r3032475987
PR Review Comment: https://git.openjdk.org/jdk/pull/30563#discussion_r3032480602
PR Review Comment: https://git.openjdk.org/jdk/pull/30563#discussion_r3032482161
