[gnutls-devel] GnuTLS | Client Authentication broken with Java 17.0.17+ (and recent versions of Java) (#1842)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Fri Apr 17 00:24:14 CEST 2026
Romain Tartière created an issue: https://gitlab.com/gnutls/gnutls/-/work_items/1842
## Description of problem:
A few months ago, after a regular package update on our Debian systems from openjdk-17 (17.0.16+8-1 -> 17.0.17~5ea-1), our monitoring system stopped receiving logs from all our log clients (logs sent by a C program) but kept receiving metrics (from the same node) sent by our metric clients (metrics sent by a ruby program).
Both systems are suing the same mTLS certificates to authenticate clients against the server. The ruby clients where fine, but the C client could not establish a TLS connection because handshake systematically failed.
After reverting the java package to the previous version (17.0.17~5ea-1 -> 17.0.16+8-1), everything was working back as expected.
## More context
Thanks to some git-bisect, the commit in openjdk that break authentication has been identified and is:
https://github.com/openjdk/jdk17u/commit/fe850da38a3fc0c9ce6cf9348efca3c846e97143
It relates to this issue:
https://bugs.openjdk.org/browse/JDK-8349583
Other versions of openjdk which include this change also trigger the issue with GnuTLS (tested with openjdk 21 and a few other versions).
## Version of gnutls used:
Our production systems use the version of GnuTLS packaged in Debian (libgnutls30:amd64 3.7.9-2+deb12u6).
The issue has also been reproduced on FreeBSD with the latest version of GnuTLS.
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
System packages from Debian and FreeBSD.
## How reproducible:
Steps to Reproduce:
* Setup a java service that offer mTLS authentication;
* Use a GnuTLS client that rely on `gnutls_certificate_set_x509_key_file()` to setup client-side TLS key and certificate;
* Attempt to connect with different versions of Java.
## Actual results:
Handshake fails when using a version of Java that include the above code (newer versions of Java) but succeeds with older versions of Java.
## Expected results:
Handshake should succeed regardless of the version of Java used.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1842
You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-5rivylgycn5arjgwmj27u3egw-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260416/9438cef1/attachment.html>
More information about the Gnutls-devel
mailing list