RFR: JDK-8211866 TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms

Jamil Nimeh jamil.j.nimeh at oracle.com
Thu Oct 11 17:11:38 UTC 2018


Hello all,

This fixes an issue with the TLS 1.3 CertificateRequest message. In 
cases where the server side can initially support multiple protocol 
versions by the time it issues a CertificateRequest message it collects 
the list of supported signature schemes for the signature_algorithms and 
signature_algorithms_cert extensions using all supported protocols as a 
filtering mechanism.

This change alters the filtering process to use only the negotiated 
protocol, so only those sig algs allowed for that one protocol version 
will be asserted.

Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8211866/webrev.01/

JBS: https://bugs.openjdk.java.net/browse/JDK-8211866




More information about the security-dev mailing list