Over-restrictive EC certificate checks in JSSE TLS 1.2
Tim Whittington
jdk-security-dev at whittington.net.nz
Thu Jan 29 01:32:21 UTC 2015
Hi all
I noticed looking at the JSSE cipher suite selection that EC certificates are unnecessarily restricted when TLS 1.2 is used.
Specifically sun.security.ssl.ServerHandshaker.trySetCipherSuite(CipherSuite) requires “EC_EC” certs (an EC key, signed with an EC issuer key) for *_ECDSA suites, and requires “EC_RSA” for ECDH_RSA suites.
The restrictions on signing key for EC certs were specified in RFC 4492 (which introduced EC cipher-suites for TLS 1.0 and 1.1), but were explicitly removed in TLS 1.2 by RFC 5246 [2] (see Appendix A.7 and sections 7.4.2 and 7.4.6) (as an aside this effectively this makes ECDH_RSA an alias for ECDH_ECDSA).
i.e. for TLS 1.2, an “EC” only restriction is appropriate for ECDH_RSA and *_ECDSA suites.
I’ve successfully tested JSSE negotiating TLS 1.2 + ECDHE_ECDSA with an EC cert signed by an RSA issuer (in this case using Tomcat, which hard-codes the key alias to use, ignoring the keyType provided to the key store selection APIs) so this restriction can probably be quite simply removed.
cheers
tim
[1] https://tools.ietf.org/html/rfc4492
[2] https://tools.ietf.org/html/rfc5246#appendix-A.7
More information about the security-dev
mailing list