Over-restrictive EC certificate checks in JSSE TLS 1.2

Xuelei Fan xuelei.fan at oracle.com
Thu Jan 29 04:17:49 UTC 2015

Hi Tim,

Thanks for the find of the restriction in OpenJDK.  The bug is tracked
as JDK-8071858:

(I just filed a bug, may need a few time to see it in public.)

Thanks & Regards,

On 1/29/2015 9:32 AM, Tim Whittington wrote:
> Hi all
> I noticed looking at the JSSE cipher suite selection that EC certificates are unnecessarily restricted when TLS 1.2 is used.
> Specifically sun.security.ssl.ServerHandshaker.trySetCipherSuite(CipherSuite) requires “EC_EC” certs (an EC key, signed with an EC issuer key) for *_ECDSA suites, and requires “EC_RSA” for ECDH_RSA suites.
> The restrictions on signing key for EC certs were specified in RFC 4492 (which introduced EC cipher-suites for TLS 1.0 and 1.1), but were explicitly removed in TLS 1.2 by RFC 5246 [2] (see Appendix A.7 and sections 7.4.2 and 7.4.6) (as an aside this effectively this makes ECDH_RSA an alias for ECDH_ECDSA).
> i.e. for TLS 1.2, an “EC” only restriction is appropriate for ECDH_RSA and *_ECDSA suites.
> I’ve successfully tested JSSE negotiating TLS 1.2 + ECDHE_ECDSA with an EC cert signed by an RSA issuer (in this case using Tomcat, which hard-codes the key alias to use, ignoring the keyType provided to the key store selection APIs) so this restriction can probably be quite simply removed.
> cheers
> tim
> [1] https://tools.ietf.org/html/rfc4492
> [2] https://tools.ietf.org/html/rfc5246#appendix-A.7

More information about the security-dev mailing list