There is a bug in the Oracle JDK TLS implementation.
A server might have an existing SSL session that has no client authentication associated with it. For example, it might be a web server, and a client has accessed the index page. Authentication is not required for the index page, so the server hasn't requested it.
At some point in future, the user might attempt to access a secured area of the site. A typical use case might be that they click an authenticate button. If the server wants to use SSL client certificates to authenticate the user, then at this point the server can send a renegotiation request, asking for a client certificate.
Java SSL negotiation and renogotiation has two modes when it comes to requesting a client certificate, one is "want auth", and the other is "need auth". Want auth means that if the client doesn't provide a certificate, the session will continue, without any client certificates. Need auth means that if the client doesn't provide a certificate, the session will be termi