It is intended to fix these issues:
https://igniterealtime.atlassian.net/browse/SPARK-2184 - Spark should not reject end-entity certificates without basic constraints
https://igniterealtime.atlassian.net/browse/SPARK-2185 - The CertPath that’s verified should not be allowed to be empty
https://igniterealtime.atlassian.net/browse/SPARK-2186 - Certificate validation should target the end-entity certificate, not the CA
https://igniterealtime.atlassian.net/browse/SPARK-2187 - Spark should not offer to add CA certs that it already has in the truststore
https://igniterealtime.atlassian.net/browse/SPARK-2188 - Some certificate chain validations fail with ‘Certificate does not specify OCSP responder’
To be honest, i don’t understand much of issues described here But i trust @guus. I have tried this build with a fresh profile and it works as intended with 3 servers i have tested it on.
@speedy @Alameyo @ilyaHlevnoy @R87A if you can take a look and provide any observations about the code or any issues noticed when running this build (specifically when signing in to servers and accepting certificates), this would be helpful to understand if this patch was successful and haven’t broken anything.