From a186d420666f2fb40a8a4cc85b215f919de9fc98 Mon Sep 17 00:00:00 2001
From: Pete Bentley <pete@sorted.org>
Date: Mon, 2 Mar 2026 16:25:41 +0000
Subject: [PATCH] Temporarily disable new cert checks in tests.

See #1486 for details. This reduces test noise until the
certificate generation in TestKeyStore is compatible with
the new checks in Java 26 KeyStore choose*Alias methods.
---
 .../src/test/java/org/conscrypt/ConscryptOpenJdkSuite.java   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/openjdk/src/test/java/org/conscrypt/ConscryptOpenJdkSuite.java b/openjdk/src/test/java/org/conscrypt/ConscryptOpenJdkSuite.java
index 350f4b33d..976e2bd47 100644
--- a/openjdk/src/test/java/org/conscrypt/ConscryptOpenJdkSuite.java
+++ b/openjdk/src/test/java/org/conscrypt/ConscryptOpenJdkSuite.java
@@ -186,6 +186,11 @@
 public class ConscryptOpenJdkSuite {
     @BeforeClass
     public static void setupStatic() {
+        // Java 26 introduced additional certificate checking in SunX509KeyManagerImpl
+        // that rejects test certificates lacking proper Key Usage extensions.  Disable
+        // it here so that certificate quality issues are not masked as TLS failures.
+        // TODO(#1486) Fix test certificate generation in TestKeyStore and remove this.
+        System.setProperty("jdk.tls.SunX509KeyManager.certChecking", "false");
         installConscryptAsDefaultProvider();
     }
 }