KTOR - reusing clients marks SSL as OK?

Question

If I reuse an httpclient, then it does not detect a certificate error:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

First consider this case, which work correctly in the sense that the request using basicClient2 throws the aforementioned exception.

val basicClient1 = HttpClientCreator.createClient()
val response1 = runBlocking {
    return@runBlocking basicClient1.get("https://x1.com");
}
println("Get against https://x1.com: " + response1.status)
basicClient1.close();
val basicClient2 = HttpClientCreator.createClient()
val response2 = runBlocking {
    return@runBlocking basicClient2.get("https://y.com");
}
println("Get against https://y.com: " + response2.status)
basicClient2.close()

However, if I reuse the same client for the request to https://y.com , then I do not get the exception:

val basicClient1 = HttpClientCreator.createClient()
val response1 = runBlocking {
    return@runBlocking basicClient1.get("https://x.com");
}
println("Get against https://x.com: " + response1.status)
val response2 = runBlocking {
    return@runBlocking basicClient1.get("https://y.com");
}
println("Get against https://y.com: " + response2.status)
basicClient1.close()

Get against https://x.com: 200 OK
Get against https://y.com: 200 OK

createClient function:

fun createClient() = HttpClient(Java)

ktor version: 2.2.2

This seems wrong, very wrong. What am I missing?

Answer 1

The problem is in the Java HTTP client itself and cannot be reproduced with the latest versions of JDK 11, 17, and 19, eg, Amazon Corretto 11.0.18. It seems like the bug was fixed in one of the patch releases.