Ricardo Martin Camarero created WFCORE-5064: ----------------------------------------------- Summary: Incorrect use of KeyManagerFactory.getDefaultAlgorithm instead of TrustManagerFactory Key: WFCORE-5064 URL: https://issues.redhat.com/browse/WFCORE-5064 Project: WildFly Core Issue Type: Bug Components: Security Affects Versions: 13.0.0.Beta2 Reporter: Ricardo Martin Camarero Assignee: Ricardo Martin Camarero When configuring https using the old security-realm the trust-manager factory is selected using [the line|https://github.com/wildfly/wildfly-core/blob/12.0.3.Final/domain-man...]: {code:java} trustManagerFactory = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); {code} Which is incorrect and should use the TrustManagerFactory. Therefore by default in openjdk we are using the {{SunX509}} factory instead of the default {{PKIX}} implementation. The default values for both factories are defined in the {{java.security}} file from the jdk: {code:java} # # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. # ssl.KeyManagerFactory.algorithm=SunX509 ssl.TrustManagerFactory.algorithm=PKIX {code} Using a exotic configuration can lead to an error if the KeyManagerFactory is configured to an algorithm that is not valid for the TrustManagerFactory (NewSunX509 for example). -- This message was sent by Atlassian Jira (v7.13.8#713008)