Code Review Request, 8136442 Don't tie Certificate signature algorithms to ciphersuites
Xuelei Fan
xuelei.fan at oracle.com
Sun Nov 29 13:55:11 UTC 2015
Hi,
Please review the fix for JDK-8136442:
http://cr.openjdk.java.net/~xuelei/8136442/webrev.00/
This update is proposing to remove the certificate signature algorithms
restrictions on cipher suites.
Per TLS ECC spec [section 5.3, RFC 4492],
ECDHE_ECDSA Certificate MUST contain an ECDSA-capable public key.
It MUST be signed with ECDSA.
RSA signed EC-key certs cannot be used for ECDHE_ECDSA cipher suites.
That's the current implementation.
However, the restrictions on the algorithm used to sign certificates are
relaxed in TLS 1.2 [RFC 5246]. Certificate signature algorithms are no
longer tied to cipher suites. But we have not removed the restrictions
in our implementation yet.
As this is a straightforward and simple fix, no new test case is planed.
Thanks,
Xuelei
More information about the security-dev
mailing list