RFR: 8353113: Peer supported certificate signature algorithms are not being checked with default SunX509 key manager [v4]
Artur Barashev
abarashev at openjdk.org
Fri Jun 6 23:34:52 UTC 2025
On Thu, 5 Jun 2025 19:00:27 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Make the test run on TLSv1.3
>
> test/jdk/sun/net/www/protocol/https/HttpsClient/ServerIdentityTest.java line 1:
>
>> 1: /*
>
> Are these changes relevant to this issue? It doesn't use a SunX509 TrustManager AFAICT.
You mean `SunX509` KeyManager? All these existing tests I'm modifying in this PR are using it together with the certificates signed with `MD5withRSA` algorithm. That's why they fail when we add algorithm constraints to SunX509KeyManagerImpl - MD5 is not allowed in TLSv1.3.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2133073579
More information about the net-dev
mailing list