--- a/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java Tue May 15 14:54:04 2018 -0400
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java Tue May 15 13:01:37 2018 -0700
@@ -436,7 +436,8 @@
// DO NOT need to check allowUnsafeServerCertChange here. We only
// reserve server certificates when allowUnsafeServerCertChange is
// flase.
- if (chc.reservedServerCerts != null) {
+ if (chc.reservedServerCerts != null &&
+ !chc.handshakeSession.useExtendedMasterSecret) {
// It is not necessary to check the certificate update if
// endpoint identification is enabled.
String identityAlg = chc.sslConfig.identificationProtocol;