Allow Filtering of Certificate Chain Presented During TLS Handshake #14091
Description
When configuring Jetty with a PKCS12 keystore containing a server certificate, its proper signing chain, and additional unrelated root or intermediate certificates, Jetty sends all certificates in the keystore during the TLS handshake, not just the certificates associated with the selected key alias.
This results in TLS clients receiving an expanded certificate chain containing certificates that are not part of the issuer/subject chain for the server certificate. Some clients reject the handshake or display trust warnings because an unexpected certificate appears in the chain.
Is there any chance something can be done to filter out the certificates that are not part of the chain for the server certificate?