Merge pull request #282 from ibmruntimes/openj9

Merge jdk-17.0.10+4 and OpenJ9 update to 0.43
ibmruntimes · Nov 24, 2023 · bf5bcad · bf5bcad
2 parents 83b321b + 67b9bcb
commit bf5bcad
Show file tree

Hide file tree

Showing 34 changed files with 1,803 additions and 1,249 deletions.
diff --git a/.github/workflows/build-cross-compile.yml b/.github/workflows/build-cross-compile.yml
@@ -100,6 +100,10 @@ jobs:
  with:
  platform: linux-x64
 
+ - name: 'Get GTest'
+ id: gtest
+ uses: ./.github/actions/get-gtest
+
  # Upgrading apt to solve libc6 installation bugs, see JDK-8260460.
  - name: 'Install toolchain and dependencies'
  run: |
@@ -155,6 +159,7 @@ jobs:
  --with-conf-name=linux-${{ matrix.target-cpu }}
  --with-version-opt=${GITHUB_ACTOR}-${GITHUB_SHA}
  --with-boot-jdk=${{ steps.bootjdk.outputs.path }}
+ --with-gtest=${{ steps.gtest.outputs.path }}
  --with-zlib=system
  --enable-debug
  --disable-precompiled-headers

diff --git a/closed/openjdk-tag.gmk b/closed/openjdk-tag.gmk
@@ -1 +1 @@
-OPENJDK_TAG := jdk-17.0.10+3
+OPENJDK_TAG := jdk-17.0.10+4
diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
@@ -146,12 +146,6 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
  fi
  fi
 
- # Because RISC-V only has word-sized atomics, it requries libatomic where
- # other common architectures do not. So link libatomic by default.
- if test "x$OPENJDK_TARGET_OS" = xlinux && test "x$OPENJDK_TARGET_CPU" = xriscv64; then
- BASIC_JVM_LIBS="$BASIC_JVM_LIBS -latomic"
- fi
-
  # perfstat lib
  if test "x$OPENJDK_TARGET_OS" = xaix; then
  BASIC_JVM_LIBS="$BASIC_JVM_LIBS -lperfstat"

diff --git a/make/data/cacerts/digicertcseccrootg5 b/make/data/cacerts/digicertcseccrootg5
@@ -0,0 +1,21 @@
+Owner: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+Issuer: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+Serial number: 3698fe712d519f3ced0fdb7b1643011
+Valid from: Fri Jan 15 00:00:00 GMT 2021 until: Sun Jan 14 23:59:59 GMT 2046
+Signature algorithm name: SHA384withECDSA
+Subject Public Key Algorithm: 384-bit EC (secp384r1) key
+Version: 3
+-----BEGIN CERTIFICATE-----
+MIICFjCCAZ2gAwIBAgIQA2mP5xLVGfPO0P23sWQwETAKBggqhkjOPQQDAzBNMQsw
+CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xJTAjBgNVBAMTHERp
+Z2lDZXJ0IENTIEVDQyBQMzg0IFJvb3QgRzUwHhcNMjEwMTE1MDAwMDAwWhcNNDYw
+MTE0MjM1OTU5WjBNMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIElu
+Yy4xJTAjBgNVBAMTHERpZ2lDZXJ0IENTIEVDQyBQMzg0IFJvb3QgRzUwdjAQBgcq
+hkjOPQIBBgUrgQQAIgNiAAR/FK2Ftpf9AiE1TWDoOJOTmz0FEG2v0/7v+rv7c5nz
+7DISjcdouIveiaKIVHeNuyF+M5VWlgno1YyhBLibbhkAYuhCKKZYN4QZVSZ7Mzdn
+8ppyraGurgBCPBx+uHqeIZyjQjBAMB0GA1UdDgQWBBTwjJhxOThlwjobphdmHcjt
+Zd6SNjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQD
+AwNnADBkAjAjb+EAGSZQ5EYgZYs3p8/rBuHMMskqoewyDXOiHgIcNWEqTmmrOXft
+l4jAfWvqid0CMEPx0VijdT6Gm7ZVEYsX9z3+CmnFf07GdRtalMvqERHGCCKI3tB6
+oqV56OMhp80Tsw==
+-----END CERTIFICATE-----
diff --git a/make/data/cacerts/digicertcsrsarootg5 b/make/data/cacerts/digicertcsrsarootg5
@@ -0,0 +1,38 @@
+Owner: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
+Issuer: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
+Serial number: 6cee131be6d55c807f7c0c7fb44e620
+Valid from: Fri Jan 15 00:00:00 GMT 2021 until: Sun Jan 14 23:59:59 GMT 2046
+Signature algorithm name: SHA384withRSA
+Subject Public Key Algorithm: 4096-bit RSA key
+Version: 3
+-----BEGIN CERTIFICATE-----
+MIIFZDCCA0ygAwIBAgIQBs7hMb5tVcgH98DH+0TmIDANBgkqhkiG9w0BAQwFADBM
+MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xJDAiBgNVBAMT
+G0RpZ2lDZXJ0IENTIFJTQTQwOTYgUm9vdCBHNTAeFw0yMTAxMTUwMDAwMDBaFw00
+NjAxMTQyMzU5NTlaMEwxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwg
+SW5jLjEkMCIGA1UEAxMbRGlnaUNlcnQgQ1MgUlNBNDA5NiBSb290IEc1MIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtjNzgNhiA3AULBEcOV58rnyDhh3+
+Ji9MJK2L6oNfqbw9W/wLmEwCRzDs4v7s6DRbZl6/O9cspiX/jFmz3+rafCnZRlBy
+CB1u0RsK3R/NmYn6Dw9zxOGcHXUyzW+X2ipqlbJsyQnQ6gt7fRcGSZnv1t7gyFPU
+rsZ38Ya7Ixy4wN9Z94590e+C5iaLWji1/3XVstlPCfM3iFDaEaSKFBTRUwQAffNq
+RBj+UHAyBxyomg46HcUKH24LJmm3PKJXcCyG+kxulalYQ7msEtb/P+3XQxdrTM6e
+xJCr//oQUJqjkFfW54wQrp8WGs81HX/Xdu2KnDWnKLinXSH8MDfd3ggZTxXG56ba
+kEeO95RTTI5TAr79meXqhtCvAwLTm6qT8asojiAB/0z7zLcpQPWHpBITBR9DbtdR
+UJ84tCDtFwkSj8y5Ga+fzb5pEdOvVRBtF4Z5llLGsgCd5a84sDX0iGuPDgQ9fO6v
+zdNqEErGzYbKIj2hSlz7Dv+I31xip8C5HtmsbH44N/53kyXChYpPtTcGWgaBFPHO
+lJ2ZkeoyWs5nPW4EZq0MTy2jLvee9Xid9wr9fo/jQopVlrzxnzct/J5flf6MGBv8
+jv1LkK/XA2gSY6zik6eiywTlT2TOA/rGFJ/Zi+jM1GKMa+QALBmfGgbGMYFU+1Mk
+mq9Vmbqdda64wt0CAwEAAaNCMEAwHQYDVR0OBBYEFGgBk7HSSkBCaZRGLBxaiKkl
+tEdPMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
+DAUAA4ICAQCS/O64AnkXAlF9IcVJZ6ek8agkOOsMaOpaQmuc9HPBaUotszcFUEKY
+kp4GeSwuBpn2798roM2zkgGDtaDLJ7U8IxqYSaLsLZmlWUOs0rGT1lfXHLyT1sZA
+4bNvGVW3E9flQzOktavL2sExZA101iztw41u67uvGUdhYS3A9AW5b3jcOvdCQGVT
+kb2ZDZOSVKapN1krm8uZxrw99wSE8JQzHQ+CWjnLLkXDKBmjspuYyPwxa2CP9umG
+KLzgPH10XRaJW2kkxxCLxEu7Nk/UWT/DsKSRmfgu0UoBnfWIEu+/WhFqWU9Za1pn
+84+0Ew/A2C89KHKqGX8RfWpbn5XnX7eUT/E+oVr/Lcyd3yd3jzJzHGcKdvP6XLG/
+vB29DCibsscXZwszD8O9Ntz7ukILq+2Ew2LWhBapsQdrqW7uxs/msEQpwvCzYYAq
+i2/SFFwlh1Rk86RMwaH4p2vq/uo6/HnbDo/cxvPJ1Gze6YOhjh0i7Mk6sgB73Dun
+Qhp/3IupET2Op8Agb10JXUNE5o9mzKlbB/Hvm3oOs1ThlP0OLMaT11X9cZg1uAlK
+/8YpKCz2Ui3bFBiSJ+IWfozK1GG+goeR65g3P79fXXc/NKwbOEOraHKZMh46Ghml
+ozhMI9ej58zVKpIXkAtaS70WvfuGauKJmezkoFUYyaMIHxPgMghy0A==
+-----END CERTIFICATE-----
diff --git a/make/data/cacerts/digicerttlseccrootg5 b/make/data/cacerts/digicerttlseccrootg5
@@ -0,0 +1,21 @@
+Owner: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+Issuer: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+Serial number: 9e09365acf7d9c8b93e1c0b042a2ef3
+Valid from: Fri Jan 15 00:00:00 GMT 2021 until: Sun Jan 14 23:59:59 GMT 2046
+Signature algorithm name: SHA384withECDSA
+Subject Public Key Algorithm: 384-bit EC (secp384r1) key
+Version: 3
+-----BEGIN CERTIFICATE-----
+MIICGTCCAZ+gAwIBAgIQCeCTZaz32ci5PhwLBCou8zAKBggqhkjOPQQDAzBOMQsw
+CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xJjAkBgNVBAMTHURp
+Z2lDZXJ0IFRMUyBFQ0MgUDM4NCBSb290IEc1MB4XDTIxMDExNTAwMDAwMFoXDTQ2
+MDExNDIzNTk1OVowTjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJ
+bmMuMSYwJAYDVQQDEx1EaWdpQ2VydCBUTFMgRUNDIFAzODQgUm9vdCBHNTB2MBAG
+ByqGSM49AgEGBSuBBAAiA2IABMFEoc8Rl1Ca3iOCNQfN0MsYndLxf3c1TzvdlHJS
+7cI7+Oz6e2tYIOyZrsn8aLN1udsJ7MgT9U7GCh1mMEy7H0cKPGEQQil8pQgO4CLp
+0zVozptjn4S1mU1YoI71VOeVyaNCMEAwHQYDVR0OBBYEFMFRRVBZqz7nLFr6ICIS
+B4CIfBFqMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49
+BAMDA2gAMGUCMQCJao1H5+z8blUD2WdsJk6Dxv3J+ysTvLd6jLRl0mlpYxNjOyZQ
+LgGheQaRnUi/wr4CMEfDFXuxoJGZSZOoPHzoRgaLLPIxAJSdYsiJvRmEFOml+wG4
+DXZDjC5Ty3zfDBeWUA==
+-----END CERTIFICATE-----
diff --git a/make/data/cacerts/digicerttlsrsarootg5 b/make/data/cacerts/digicerttlsrsarootg5
@@ -0,0 +1,38 @@
+Owner: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
+Issuer: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
+Serial number: 8f9b478a8fa7eda6a333789de7ccf8a
+Valid from: Fri Jan 15 00:00:00 GMT 2021 until: Sun Jan 14 23:59:59 GMT 2046
+Signature algorithm name: SHA384withRSA
+Subject Public Key Algorithm: 4096-bit RSA key
+Version: 3
+-----BEGIN CERTIFICATE-----
+MIIFZjCCA06gAwIBAgIQCPm0eKj6ftpqMzeJ3nzPijANBgkqhkiG9w0BAQwFADBN
+MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xJTAjBgNVBAMT
+HERpZ2lDZXJ0IFRMUyBSU0E0MDk2IFJvb3QgRzUwHhcNMjEwMTE1MDAwMDAwWhcN
+NDYwMTE0MjM1OTU5WjBNMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQs
+IEluYy4xJTAjBgNVBAMTHERpZ2lDZXJ0IFRMUyBSU0E0MDk2IFJvb3QgRzUwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCz0PTJeRGd/fxmgefM1eS87IE+
+ajWOLrfn3q/5B03PMJ3qCQuZvWxX2hhKuHisOjmopkisLnLlvevxGs3npAOpPxG0
+2C+JFvuUAT27L/gTBaF4HI4o4EXgg/RZG5Wzrn4DReW+wkL+7vI8toUTmDKdFqgp
+wgscONyfMXdcvyej/Cestyu9dJsXLfKB2l2w4SMXPohKEiPQ6s+d3gMXsUJKoBZM
+pG2T6T867jp8nVid9E6P/DsjyG244gXazOvswzH016cpVIDPRFtMbzCe88zdH5RD
+nU1/cHAN1DrRN/BsnZvAFJNY781BOHW8EwOVfH/jXOnVDdXifBBiqmvwPXbzP6Po
+sMH976pXTayGpxi0KcEsDr9kvimM2AItzVwv8n/vFfQMFawKsPHTDU9qTXeXAaDx
+Zre3zu/O7Oyldcqs4+Fj97ihBMi8ez9dLRYiVu1ISf6nL3kwJZu6ay0/nTvEF+cd
+Lvvyz6b84xQslpghjLSR6Rlgg/IwKwZzUNWYOwbpx4oMYIwo+FKbbuH2TbsGJJvX
+KyY//SovcfXWJL5/MZ4PbeiPT02jP/816t9JXkGPhvnxd3lLG7SjXi/7RgLQZhNe
+XoVPzthwiHvOAbWWl9fNff2C+MIkwcoBOU+NosEUQB+cZtUMCUbW8tDRSHZWOkPL
+tgoRObqME2wGtZ7P6wIDAQABo0IwQDAdBgNVHQ4EFgQUUTMc7TZArxfTJc1paPKv
+TiM+s0EwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN
+AQEMBQADggIBAGCmr1tfV9qJ20tQqcQjNSH/0GEwhJG3PxDPJY7Jv0Y02cEhJhxw
+GXIeo8mH/qlDZJY6yFMECrZBu8RHANmfGBg7sg7zNOok992vIGCukihfNudd5N7H
+PNtQOa27PShNlnx2xlv0wdsUpasZYgcYQF+Xkdycx6u1UQ3maVNVzDl92sURVXLF
+O4uJ+DQtpBflF+aZfTCIITfNMBc9uPK8qHWgQ9w+iUuQrm0D4ByjoJYJu32jtyoQ
+REtGBzRj7TG5BO6jm5qu5jF49OokYTurWGT/u4cnYiWB39yhL/btp/96j1EuMPik
+AdKFOV8BmZZvWltwGUb+hmA+rYAQCd05JS9Yf7vSdPD3Rh9GOUrYU9DzLjtxpdRv
+/PNn5AeP3SYZ4Y1b+qOTEZvpyDrDVWiakuFSdjjo4bq9+0/V77PnSIMx8IIh47a+
+p6tv75/fTM8BuGJqIz3nCU2AG3swpMPdB380vqQmsvZB6Akd4yCYqjdP//fx4ilw
+MUc/dNAUFvohigLVigmUdy7yWSiLfFCSCmZ4OIN1xLVaqBHG5cGdZlXPU8Sv13WF
+qUITVuwhd4GTWgzqltlJyqEI8pc7bZsEGCREjnwB8twl2F6GmrE52/WRMmrRpnCK
+ovfepEWFJqgejF0pW8hL2JpqA15w8oVPbEtoL8pU9ozaMv7Da4M/OMZ+
+-----END CERTIFICATE-----
diff --git a/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java b/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1043,6 +1043,7 @@ private static SSLPossession choosePossession(
  }
 
  Collection<String> checkedKeyTypes = new HashSet<>();
+ List<String> supportedKeyTypes = new ArrayList<>();
  for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) {
  if (checkedKeyTypes.contains(ss.keyAlgorithm)) {
  if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@@ -1051,6 +1052,7 @@ private static SSLPossession choosePossession(
  }
  continue;
  }
+ checkedKeyTypes.add(ss.keyAlgorithm);
 
  // Don't select a signature scheme unless we will be able to
  // produce a CertificateVerify message later
@@ -1064,36 +1066,28 @@ private static SSLPossession choosePossession(
  "Unable to produce CertificateVerify for " +
  "signature scheme: " + ss.name);
  }
- checkedKeyTypes.add(ss.keyAlgorithm);
  continue;
  }
 
- SSLAuthentication ka = X509Authentication.valueOf(ss);
+ X509Authentication ka = X509Authentication.valueOf(ss);
  if (ka == null) {
  if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
  SSLLogger.warning(
  "Unsupported authentication scheme: " + ss.name);
  }
- checkedKeyTypes.add(ss.keyAlgorithm);
  continue;
  }
-
- SSLPossession pos = ka.createPossession(hc);
- if (pos == null) {
- if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
- SSLLogger.warning(
- "Unavailable authentication scheme: " + ss.name);
- }
- continue;
- }
-
- return pos;
+ supportedKeyTypes.add(ss.keyAlgorithm);
  }
 
- if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
- SSLLogger.warning("No available authentication scheme");
+ SSLPossession pos = X509Authentication
+ .createPossession(hc, supportedKeyTypes.toArray(String[]::new));
+ if (pos == null) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.warning("No available authentication scheme");
+ }
  }
- return null;
+ return pos;
  }
 
  private byte[] onProduceCertificate(ClientHandshakeContext chc,

diff --git a/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java b/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java
@@ -45,7 +45,6 @@
 import sun.security.ssl.CipherSuite.KeyExchange;
 import sun.security.ssl.SSLHandshake.HandshakeMessage;
 import sun.security.ssl.X509Authentication.X509Possession;
-import sun.security.ssl.X509Authentication.X509PossessionGenerator;
 
 /**
  * Pack of the CertificateRequest handshake message.
@@ -726,10 +725,11 @@ public void consume(ConnectionContext context,
  chc.handshakeSession.setPeerSupportedSignatureAlgorithms(sss);
  chc.peerSupportedAuthorities = crm.getAuthorities();
 
- // For TLS 1.2, we need to use a combination of the CR message's
- // allowed key types and the signature algorithms in order to
- // find a certificate chain that has the right key and all certs
- // using one or more of the allowed cert signature schemes.
+ // For TLS 1.2, we no longer use the certificate_types field
+ // from the CertificateRequest message to directly determine
+ // the SSLPossession. Instead, the choosePossession method
+ // will use the accepted signature schemes in the message to
+ // determine the set of acceptable certificate types to select from.
  SSLPossession pos = choosePossession(chc, crm);
  if (pos == null) {
  return;
@@ -761,6 +761,7 @@ private static SSLPossession choosePossession(HandshakeContext hc,
  }
 
  Collection<String> checkedKeyTypes = new HashSet<>();
+ List<String> supportedKeyTypes = new ArrayList<>();
  for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) {
  if (checkedKeyTypes.contains(ss.keyAlgorithm)) {
  if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@@ -769,6 +770,7 @@ private static SSLPossession choosePossession(HandshakeContext hc,
  }
  continue;
  }
+ checkedKeyTypes.add(ss.keyAlgorithm);
 
  // Don't select a signature scheme unless we will be able to
  // produce a CertificateVerify message later
@@ -782,7 +784,6 @@ private static SSLPossession choosePossession(HandshakeContext hc,
  "Unable to produce CertificateVerify for " +
  "signature scheme: " + ss.name);
  }
- checkedKeyTypes.add(ss.keyAlgorithm);
  continue;
  }
 
@@ -792,45 +793,32 @@ private static SSLPossession choosePossession(HandshakeContext hc,
  SSLLogger.warning(
  "Unsupported authentication scheme: " + ss.name);
  }
- checkedKeyTypes.add(ss.keyAlgorithm);
  continue;
  } else {
- // Any auth object will have a possession generator and
- // we need to make sure the key types for that generator
- // share at least one common algorithm with the CR's
- // allowed key types.
- if (ka.possessionGenerator instanceof
- X509PossessionGenerator xpg) {
- if (Collections.disjoint(crKeyTypes,
- Arrays.asList(xpg.keyTypes))) {
- if (SSLLogger.isOn &&
- SSLLogger.isOn("ssl,handshake")) {
- SSLLogger.warning(
- "Unsupported authentication scheme: " +
- ss.name);
- }
- checkedKeyTypes.add(ss.keyAlgorithm);
- continue;
+ // Any auth object will have a set of allowed key types.
+ // This set should share at least one common algorithm with
+ // the CR's allowed key types.
+ if (Collections.disjoint(crKeyTypes,
+ Arrays.asList(ka.keyTypes))) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.warning(
+ "Unsupported authentication scheme: " +
+ ss.name);
  }
+ continue;
  }
  }
-
- SSLPossession pos = ka.createPossession(hc);
- if (pos == null) {
- if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
- SSLLogger.warning(
- "Unavailable authentication scheme: " + ss.name);
- }
- continue;
- }
-
- return pos;
+ supportedKeyTypes.add(ss.keyAlgorithm);
  }
 
- if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
- SSLLogger.warning("No available authentication scheme");
+ SSLPossession pos = X509Authentication
+ .createPossession(hc, supportedKeyTypes.toArray(String[]::new));
+ if (pos == null) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.warning("No available authentication scheme");
+ }
  }
- return null;
+ return pos;
  }
  }